· web viewattack summary most directly related control attackers exploit new vulnerabilities...
TRANSCRIPT
Joint Written Project (JWP) Assignment
Automating Crosswalk between SP 800, the 20 Critical Controls, and the Australian Government Defence Signals Directorate’s 35 Mitigating Strategies
GIAC Enterprises
Authors:Ahmed Abdel-AzizRobert Sorensen
February 2012
Automating Crosswalk between SP 800 and the 20 Critical Controls 2
Table of Contents
1. EXECUTIVE SUMMARY........................................................................................................................3
2. INTRODUCTION......................................................................................................................................4
3. RELATIONSHIP BETWEEN SP 800, 20 CRITICAL CONTROLS, AND THE AUSTRALIAN GOVERNMENT DSD’S 35 MITIGATING STRATEGIES......................................................................5
3.1 SP 800...................................................................................................................................................53.2 20 CRITICAL SECURITY CONTROLS.......................................................................................................53.3 AUSTRALIAN GOVERNMENT DEFENCE SIGNALS DIRECTORATE’S 35 MITIGATING STRATEGIES........8
4. DEVELOPING APT-FOCUSED SECURITY GUIDANCE STRATEGY..........................................8
4.1 ADVANCED PERSISTENT THREATS (APTS)............................................................................................84.2 RISK-BASED APPROACH.......................................................................................................................9
5. AUTOMATION APPROACH FOR CRITICAL CONTROLS 15 AND 17......................................12
5.1 EXPLOITING THE ABSENCE OF CRITICAL CONTROLS 15 AND 17.........................................................125.2 FOCUSING ON THE DATA......................................................................................................................125.3 ESTABLISHING A RISK-BASED DLP PROGRAM....................................................................................135.4 AUTOMATING DATA CLASSIFICATION AND POLICY DEFINITION........................................................145.5 AUTOMATING THE CONTROL OF DATA-IN-MOTION............................................................................165.6 AUTOMATING THE CONTROL OF DATA-AT-REST/DATA-IN-USE.........................................................18
6. AUTOMATION APPROACH FOR CRITICAL CONTROLS 4 AND 5..........................................22
6.1 EXPLOITING THE ABSENCE OF CRITICAL CONTROLS 4 AND 5.............................................................246.2 FOCUSING ON THE APTS, AND THE THREAT VECTORS THROUGH CONTINUOUS MONITORING........246.3 CONTROL 4 - AUTOMATING CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION........266.4 CONTROL 5 - AUTOMATING CONTINUOUS MONITORING OF MALICIOUS SOFTWARE AND MALWARE CALLBACKS................................................................................................................................................30
7. RECOMMENDED RISK-BASED ACTION PLAN.............................................................................33
8. REFERENCES.........................................................................................................................................35
9. APPENDIX...............................................................................................................................................40
APPENDIX A: FIPS PUB 200 - SPECIFICATIONS FOR MINIMUM SECURITY REQUIREMENTS...................40APPENDIX B: MAPPING BETWEEN THE 20 CRITICAL SECURITY CONTROLS AND NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SPECIAL PUBLICATION 800-53, REVISION 3, PRIORITY 1 ITEMS...........44Appendix C: Mapping between the 20 Critical Security Controls and the Australian Government Defence Signals Directorate’s 35 Mitigation Strategies............................................................................46
Automating Crosswalk between SP 800 and the 20 Critical Controls 3
1. Executive Summary
GIAC Enterprises is a small to medium sized growing business (1,000 employees) with two data centers and 200 people in central business and IT. The GIAC Enterprises Fortune Cookie sayings are a closely guarded secret and have come under attack from competitors in the past. Recently, a security expert from a respected consultancy gave a briefing on a topic titled, “Operation Shady RAT,” that outlined a scenario where many corporations and government organizations were compromised routinely over a period of five years (Alperovitch, 2011). This has prompted our organization to examine key security investments, come up with sound advice regarding security strategy, and how to implement that strategy.
In making this recommendation, we reached out for guidance included in widely recognized information security frameworks. Our analysis showed SANS’ Consensus Audit Guidelines (CAG) reinforces and prioritizes some of the important elements put forth in U.S. government documentation such as NIST SP 800-53. Furthermore, portions of the CAG are reinforced by the Australian Government Defence Signals Directorate’s (DSD) 35 strategies to mitigate targeted cyber intrusions. After reviewing the direct mapping between the 20 critical controls and NIST SP 800-53, and DSD’s 35 strategies, we adopted a security guidance strategy that is based on or designed to counter Advanced Persistent Threats (APTs). APTs currently pose significant risks to GIAC Enterprises, and it is likely the situation will stay that way for the foreseeable future. Therefore, our risk-based security guidance strategy is information focused and gives special attention to four security controls, which are geared well for attacks with APT characteristics. The four security controls are: 1) Controlled Access based on the Need-to-Know; 2) Continuous Vulnerability Assessment and Remediation; 3) Malware Defenses; and 4) Data Loss Prevention (DLP).
We have devised automation approaches for these four controls to facilitate implementing them. We argue that more attention is needed to secure the data, and have proposed a model for a DLP program. Therefore, we have developed an automation approach for data classification and DLP policy definition. This was followed by automation approaches to control data-in-motion, data-at-rest, and data-in-use. We knew that for an attack to succeed, it will need to exploit a vulnerability. That is why we also focused on reducing our attack surface by developing an automation approach for continuous vulnerability assessment and remediation, as well as malware defenses.
Finally, our research ends with a recommended action plan for GIAC Enterprises. The objective of this action plan is to take the organization from its current security state, to the desired security state, in a step-by-step fashion.
Automating Crosswalk between SP 800 and the 20 Critical Controls 4
2. IntroductionAdvanced Persistent Threats (APTs) (Andress, 2011)! Operation Shady RAT
(Lau, 2011)! These are terms or references that just a few years ago would not have
raised an eyebrow. Today, they are well known and often overused buzzwords.
However, that does not change the nature of the threat that they have exposed. From the
highly visible case of “Operation Aurora,” where Google, Adobe, and dozens of other
companies came under attack in 2009 and 2010 from sources believed to be in China
(McClure, 2010), to the sophistication and stealth of the compromise of RSA intellectual
property (Coviello, 2011), major corporations have come under attack. What is to
prevent your enterprise from suffering the same fate?
As reported in the Second Qualys annual report, modern-day attackers employ
organized, well written, and highly sophisticated exploit code to do their deeds (Dausin,
2010). To assist in counteracting the many assaults, one needs to take proactive steps to
manage risk and exposure. Guidance to help mitigate this risk has been provided as a
result of multiple initiatives. Examples of such initiatives are: Federal Information
Security Management Act (FISMA), the 20 Critical Security Controls, and the Australian
Government Defence Signals Directorate’s (DSD) 35 Mitigating Strategies. An
informative explanation follows to describe the relationship and synergy between these
specific three initiatives.
In an effort to maximize the benefit of these initiatives with minimal resources,
one must target a subset of controls to initially implement. This idea of initially targeting
a subset of controls was proven successful by the Australian DSD, which will be covered
in more detail. This research is based on a similar targeting approach; however, the subset
of controls selected is a subset of the 20 Critical Controls. The development of a security
guidance strategy for GIAC Enterprises, as well as automation approaches for that
strategy will be explored in detail.
Automating Crosswalk between SP 800 and the 20 Critical Controls 5
3. Relationship between SP 800, 20 Critical Controls, and the Australian Government DSD’s 35 Mitigating Strategies
3.1 SP 800
Title III of the E-Government Act of 2002 (P.L. 107-347), authorized the Federal
Information Security Management Act (FISMA), was designed to strengthen information
security government wide (E-Government Act of 2002). The National Institute of
Standards and Technology (NIST) was tasked to develop, document, and implement an
organization-wide program to provide security for the information systems that support
its operations and assets. The result was the establishment of the FISMA Implementation
Project in January 2003 (FISMA Implementation Project, 2009). One of the key
publications that came from this effort is SP 800-53 - Recommended Security Controls
for Federal Information Systems and Organizations (SP 800-53 Revision 3, 2010). This
is designed to cover the steps in the Risk Management Framework that address security
control selection for federal information systems in accordance with the security
requirements in Federal Information Processing Standard (FIPS) 200. This standard
specifies the minimum security requirements in seventeen security-related areas and all
federal agencies must be in compliance with this standard (FIPS PUB 200, 2006, p. v).
There are specifications outlined for the minimum security requirements which
can be found in Appendix A: FIPS PUB 200 - Specifications for Minimum Security
Requirements (FIPS PUB 200, 2006, p. 2-4).
As noted, SP 800-53 is currently in its third revision. It will continue to be updated
to reflect the current state of information security to include guidance concerning insider
threats; software application security; social networking; mobile devices; cloud
computing; cross domain solutions; advanced persistent threat; supply chain security;
Industrial/process control systems; and privacy (Smith, 2011).
3.2 20 Critical Security Controls
In early 2008, as a response to the extreme data losses experienced by leading
companies in the U.S. defense industrial base, a consortium of federal agencies and
Automating Crosswalk between SP 800 and the 20 Critical Controls 6
private organizations developed Version 1.0 of the Consensus Audit Guidelines that
define the most critical security controls to protect federal and contractor information and
information systems (Baseline Standard of Due Care for Cybersecurity, 2009).
This effort has continued to evolve, and the 20 Critical Security Controls, Version
3.1, was released in October 2011 (Consensus Audit Guidelines Version 3.1, 2011). The
effectiveness of this document is based on the knowledge of actual attacks and the
defensive techniques that are most important to counteract them. Contributors include
(CAG, 2011, p. 8):
Consensus Audit Guidelines Contributors1) Blue team members inside the Department of Defense (DoD) who are often called
in when military commanders find their systems have been compromised and who perform initial incident response services on impacted systems.
2) Blue team members who provide services for non-DoD government agencies that identify prior intrusions while conducting vulnerability assessment activities.
3) US Computer Emergency Readiness Team staff and other nonmilitary incident response employees and consultants who are called upon by civilian agencies and companies to identify the most likely method by which systems and networks have been compromised.
4) Military investigators who fight cyber crime. 5) The FBI and other law enforcement organizations that investigate cyber crime. 6) Cybersecurity experts at US Department of Energy laboratories and federally
funded research and development centers. 7) DoD and private forensics experts who analyze computers that have been infected
to determine how the attackers penetrated the systems and what they did subsequently.
8) Red team members inside the DoD tasked with finding ways of circumventing military cyber defenses during their exercises.
9) Civilian penetration testers who test civilian government and commercial systems to determine how they can be penetrated, with the goal of better understanding risk and implementing better defenses.
10) Federal CIOs and CISOs who have intimate knowledge of cyber attacks.
The 20 Critical Controls include 15 controls that can be continuously monitored
and validated at least in part in an automated manner and five that must be validated
manually (CAG, 2011, p. 9-10).
Critical Controls subject to automated collection, measurement, and validation:1) Inventory of Authorized and Unauthorized Devices 2) Inventory of Authorized and Unauthorized Software 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and
Servers
Automating Crosswalk between SP 800 and the 20 Critical Controls 7
4) Continuous Vulnerability Assessment and Remediation 5) Malware Defenses 6) Application Software Security 7) Wireless Device Control 8) Data Recovery Capability (validated manually) 9) Security Skills Assessment and Appropriate Training to Fill Gaps (validated
manually) 10) Secure Configurations for Network Devices such as Firewalls, Routers, and
Switches 11) Limitation and Control of Network Ports, Protocols, and Services12) Controlled Use of Administrative Privileges13) Boundary Defense 14) Maintenance, Monitoring, and Analysis of Security Audit Logs 15) Controlled Access Based on the Need to Know16) Account Monitoring and Control17) Data Loss Prevention18) Incident Response Capability (validated manually)19) Secure Network Engineering (validated manually)20) Penetration Tests and Red Team Exercises (validated manually)
As described in the document, there is a direct relationship to the U.S. Federal
Guidelines:
The 20 Critical Controls are meant to reinforce and prioritize some of the most important elements of the guidelines, standards, and requirements put forth in other US government documentation, such as NIST Special Publication 800-53, SCAP, FDCC, FISMA, manageable network plans, and Department of Homeland Security software assurance documents. These guidelines do not conflict with such recommendations. In fact, the guidelines set forth are a proper subset of the recommendations of NIST Special Publication 800-53, designed so that organizations can focus on a specific set of actions associated with current threats and computer attacks they face every day (CAG, 2011, p. 12).
The direct mapping between the 20 Critical Security Controls and NIST Special
Publication 800-53, Revision 3, Priority 1 items can be found in Appendix B.
The U.K. Centre for the Protection of National Infrastructure (CPNI) recently
released a new guidance document detailing the Top Twenty Critical Security Controls.
These provide a baseline of high-priority information security measures and controls that
can be applied across an organization in order to improve its cyber defense. CPNI is
participating in an international government-industry effort to promote the top twenty
Automating Crosswalk between SP 800 and the 20 Critical Controls 8
critical controls for computer and network security which is being coordinated by the
SANS Institute (Continuity Central, 2012).
3.3 Australian Government Defence Signals Directorate’s 35 Mitigating Strategies
In 2010, the Australian Defence Signals Directorate (DSD) developed a list of 35
prioritized mitigation strategies to defend networks and systems from cyber attack based
on the study of all known targeted intrusions against government systems, and articulated
what would have stopped the infections from spreading. The DSD updated and
reprioritized this list in 2011 and determined that at least 85% of the targeted cyber
intrusions could have been prevented by following the top four mitigation strategies.
Because of this ground-breaking directive of focusing on the top four controls and
implementing them, they received the 2011 U.S. National Cybersecurity Innovation
Award (SANS Press Release, 2011). The top four specific controls (nicknamed the
“sweet spot”) are:
1) Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers;
2) Patch operating system vulnerabilities;3) Minimize the number of users with administrative privileges; and4) Use application whitelisting to help prevent malicious software and
other unapproved programs from running.
The DSD’s 35 Mitigating Strategies focus on individual tasks organizations can
undertake to improve their security stance. They are a focused subset of the 20 Critical
Controls with a direct mapping detailed in Appendix C: Mapping between the 20 Critical
Security Controls and the Australian Government Defense Signals Directorate’s 35
Mitigation Strategies (CAG, 2011, pp. 72-75).
4. Developing APT-focused Security Guidance Strategy
4.1 Advanced Persistent Threats (APTs)In the past few years, intelligence agencies and computer security vendors have
begun using the term Advanced Persistent Threats (APTs) to describe a series of cyber-
based attacks. The term, APTs, typically describes a foreign nation state government with
the advanced capability and persistence to commit cyber espionage (Binde, 2011).
Automating Crosswalk between SP 800 and the 20 Critical Controls 9
Publicly, we have seen a majority of companies in every industry deal with significant
and costly attack vectors. In January 2010, the source code and intellectual property of
Google and at least 20 other companies in the high-tech industry and defense industrial
base were targeted and compromised during “Operation Aurora” (McClure, 2010). In
November 2009, “Operation Night Dragon” included a series of coordinated and targeted
attacks against the global oil and gas companies (Shook, 2011). Most recently, in the
“Operation Shady RAT" described attack, around 70 corporations and government
organizations were compromised routinely over a period of 5 years (Alperovitch, 2011).
The above attacks included several commonalities. Routinely, the attackers used
previously unknown attack vectors known as zero-day attacks. Unsuspecting users
opening email attachments or browsing malicious websites introduced these attacks into
the victim network. Additionally, all of these attacks relied upon a remote command and
control channel to steal the data out of the infected networks. In most cases, the victims
compromised were eventually discovered only after virus researchers discovered the
attacker’s command and control servers (Command, 2011).
4.2 Risk-based Approach
From SANS’ point of view, focusing on the 20 Critical Controls will help an
organization be prepared for the most important actual threats that exist in today’s world.
The 20 Critical Controls help organizations make better use of their limited security
resources, by using a prioritized set of overarching security controls. GIAC Enterprises
will highly benefit from fully adopting the 20 Critical Controls; however, fully adopting
these Critical Controls will take considerable time.
Therefore, we argue that GIAC Enterprises would benefit most if it takes a risk-
based approach to initially implement only a subset of the 20 Critical Controls that
address its highest risks first. Afterwards, the remaining 20 Critical Controls can be
implemented. It is our belief that due to the nature of GIAC Enterprises’ business, and
being the world’s largest supplier of Fortune Cookie sayings, its intellectual property is a
target for theft. This makes APTs-related risks the highest at this point of time for GIAC
Enterprises. The initial focus should be on mitigating such risks. The next step of the
strategy is to apply the “offense-informs-defense” concept to determine which subset of
Automating Crosswalk between SP 800 and the 20 Critical Controls 10
controls is better geared to mitigate APTs-related risks. To determine the appropriate
subset of controls, one would highly benefit from tapping in to the collective experience
of the 20 Critical Controls’ contributors, who are responsible for responding to actual
attacks or conducting red team exercises (CAG, 2011, pp. 8-9). Based on the
contributors’ first-hand knowledge of real world attacks and associated defenses, the
contributors included a table of attacks mapped to the most directly related control. That
table represents the foundation for selecting a subset of controls, which is based on the
“offense-informs-defense” concept.
Reviewing the Attack Types table included in the 20 Critical Controls Consensus
Audit Guidelines’ Appendix (CAG, 2011, pp. 76-77), it is clear that four attacks stand out
as having APT characteristics. The same table suggests which critical control is most
appropriate for that attack. The four attacks and the related controls are included in the
table below:
Attack Summary Most Directly Related ControlAttackers exploit new vulnerabilities on systems that lack critical patches in organizations that do not know that they are vulnerable because they lackcontinuous vulnerability assessments and effective remediation
Critical Control 4:Continuous Vulnerability Assess-
ment and Remediation
Attackers use malicious code to gain and maintain control of target ma-chines,capture sensitive data, and then spread it to other systems, some-times wieldingcode that disables or dodges signa-ture-based anti-virus tools
Critical Control 5:Malware Defenses
Attackers gain access to sensitive documents in an organization that does not properly identify and protect sensitive or separate it from non-sensitive information
Critical Control 15:Controlled Access Based on the
Need-to-Know
Attackers gain access to internal en-terprise systems to gather and exfil-trate sensitiveinformation, without detection by the victim organization.
Critical Control 17:Data Loss Prevention (DLP)
Automating Crosswalk between SP 800 and the 20 Critical Controls 11
The methodology described above for selecting a subset of controls led to the
selection of Critical Controls 4, 5, 15, and 17. A proper analysis would not be complete
without comparing this subset of controls to a statistically proven subset of controls such
as the one recommended by the Australian DSD. The Australian DSD determined that at
least 85% of targeted cyber intrusions could be prevented by implementing four specific
controls:
1. Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, and web browsers;
2. Patch operating system vulnerabilities;3. Minimize the number of users with administrative privileges; and4. Use application white-listing to help prevent malicious software and other
unapproved programs from running.
It is the authors’ opinion that the subset of controls selected actually resonates with
the Australia DSD recommendation:
Australia’s DSD Controls 1 and 2 are in line with selecting Control 4 “Continuous Vulnerability Assessment and Remediation;”
Australia’s DSD Control 3 is in line with selecting Controls 15 and 17 “Controlled Access Based on Need-to-Know, and DLP;” and
Australia’s DSD Control 4 is in line with selecting Control 5 “Malware Defenses.”
It is imperative that GIAC Enterprises protect its sensitive data -intellectual
property. The risk-based methodology used resulted in a subset of controls which are
rather unique in that they are information-focused, and not identical to statistically
supported work such as the systems-focused Australia DSD. Based on GIAC Enterprises’
need, and the recent shift in attention from securing networks, to securing systems, to
securing the data itself (CAG, 2011), we argue that GIAC Enterprises would benefit more
from adopting our recommended subset of controls. Perhaps future work based on this
research may provide evidence that this approach is more effective in securing
intellectual property.
Therefore, the subset of the 20 Critical Controls to implement first for GIAC
Enterprises are: Controls 4, 5, 15, and 17. These controls lend themselves to automation,
and so the next sections of the paper will highlight some automation approaches for these
controls.
Automating Crosswalk between SP 800 and the 20 Critical Controls 12
5. Automation Approach for Critical Controls 15 and 17Critical Controls 15 and 17 of the 20 Critical Controls state that data access is to be
controlled, and access to data should be on a need-to-know basis. In addition, data loss
prevention capabilities should be in place. Going back to the “offense-informs-defense”
theme, one needs to first understand how attackers exploit the absence of these controls,
before attempting to automate them.
5.1 Exploiting the Absence of Critical Controls 15 and 17Organizations often do not carefully identify and separate sensitive information
from publicly available information on their information systems. Because there is no
such separation between the two different types of information, internal users will have
access to all or most of the sensitive information. This makes it easy for attackers who
have penetrated the network to find and exfiltrate the sensitive information. What
compounds the problem further is that an organization may not be monitoring data
outflows to quickly detect such exfiltration. While some information is leaked as a result
of theft or espionage, the vast majority of such problems occur from poorly understood
data practices, lack of effective policy, and user error (CAG, 2011, p. 60). The loss of
control over sensitive information (such as cookie sayings intellectual property) is a
serious vulnerability, and introduces a high risk to GIAC Enterprises.
5.2 Focusing on the DataOver the last few years, there has been a noticeable shift in attention and
investment from securing the network to securing systems within the network, and to
securing the data itself (CAG, 2011). To be able to secure the sensitive data, one needs to
know what constitutes sensitive data. Two main types of sensitive data exist: Regulatory
Data, and Corporate Data.
Automating Crosswalk between SP 800 and the 20 Critical Controls 13
Regulatory Data is found in many organizations. It takes the same form regardless
of which organization it is stored. On the flip side, Corporate Data is usually unique data
that differs from one organization to another. The unique property of Corporate Data
makes it more challenging to identify, control, and secure. The intellectual property of
GIAC Enterprises (cookie sayings) falls into the Corporate Data type of sensitive data.
Controlling sensitive data can take place when the data is at rest (e.g., data storage),
when the data is in motion (e.g., network actions), and when the data is in use (e.g.,
endpoint actions). To facilitate controlling sensitive data, GIAC Enterprises need to
establish a proper Data Loss Prevention (DLP) program.
5.3 Establishing a Risk-based DLP ProgramThere are many publications in the market about how complex and expensive
(DLP) projects can get if not properly handled. It can be argued, a primary reason for
such perception, is a lack of importance to people and process in DLP projects. Rather
than considering DLP as a point product, one can benefit from considering DLP a
Control Data-at-Rest
Control Data-in-Motion
Control Data-in-Use
Credit card dataPrivacy data (PII)Health care information
Sensitive Regulatory Data
Intellectual propertyFinancial informationTrade secrets
Sensitive Corporate Data
Automating Crosswalk between SP 800 and the 20 Critical Controls 14
technology that helps build processes to prevent people from leaking sensitive data. To
establish a proper DLP program for GIAC Enterprises, the following three-phased model
is suggested:
Whether sensitive data is being controlled at rest, in use or in motion, this three-
phased model will be used. The first step is to better understand risk by identifying
sensitive data through a discovery process. The risk discovery phase can occur while data
is in use, in motion, or at rest. The next step is where risk starts to be mitigated through
education of both end users and risk teams. Finally, risk mitigation reaches its peak by
enforcing effective security controls that don’t get in the way of business productivity.
5.4 Automating Data Classification and Policy DefinitionFor GIAC Enterprises, the cookie sayings intellectual property is the data that
needs to be controlled. As described earlier, this represents sensitive data of type:
Corporate Data. For technology to identify sensitive data through a discovery process, it
needs to understand what sensitive data is. It would be optimum to just tell technology
that sensitive data is any cookie saying; unfortunately, it is not that simple. If cookie
sayings one day become part of Regulatory Data (e.g., credit card number), then
technology can easily understand that cookie sayings are sensitive data.
Risk across the Infrastructure
DISCOVER EDUCATE ENFORCE
DLP Program Lifecycle Management (driven by risk-based policies)
?Understand
Risk Reduce Risk
End Users & Risk Teams Security Controls
RISK
Time
Automating Crosswalk between SP 800 and the 20 Critical Controls 15
Data classification (defining data sensitivity) is a complex task, because only the
business owners know this information. The sensitivity of cookie sayings, as well as
other data, is dynamic and often varies by business function and time. It is a challenge for
security teams to define what data is sensitive and how it should be handled according to
policy. The logical approach is to involve the line of business in the process of data
classification and policy definition, but involving line of business is not trivial. An
effective way to address this challenge is by enabling the business owners to directly
define what data is sensitive (or what criteria makes data sensitive), and how the sensitive
data should be handled. To automate this challenge, a portal with a workflow engine can
be used to complete the operation. This type of automation can be achieved by
Governance, Risk, and Compliance (GRC) tools, if these tools are integrated with the
DLP technology being used. One example of such a solution is the RSA DLP Policy
Workflow Manager illustrated below:
It is important to point out that this stage is not about using a tool to go around and
locate sensitive data all across the organization. This stage is merely defining what is it
that we should look for, and when we find what we are looking for, how should it be
handled. This stage is about defining criteria and rules, and not about scanning. The
output of this stage is a set of risk-based DLP policies such as the following:
Step 1Identify files & set business rules+
Step 2Create DLP Policy &check for feasibility
Step 3DLP Policy is routed for approval
Step 4Approved DLP policy
End Users
DLP Admin
Business Managers
Policy applied across the organization
Automating Crosswalk between SP 800 and the 20 Critical Controls 16
Data sensitivity is one of three key elements constituting the risk level for a DLP
policy. For sake of simplicity, GIAC Enterprises can initially start with only two
classification levels: sensitive, and public. In the future, the classification levels can
possibly be extended to three levels: Secret, private, and public. A properly integrated
DLP and GRC solution represents an abstraction layer for the line of business to define
technical DLP policies. These policies will then be used to control data in motion, at rest,
or in use. This DLP and GRC integrated solution is technology that is helping to fill the
undesired gap of people and process in DLP projects.
Using such an automation approach for data classification and DLP policy
definition can reduce the duration of these activities from weeks to days. This section
helps to automate sub-control 15.1, and lays the foundation for automating most sub-
controls of Critical Controls 15 and 17 (CAG, 2011, p. 55).
5.5 Automating the Control of Data-in-Motion People and process elements of DLP projects are often ignored. To address these
two elements when automating the control of data in motion, GIAC Enterprises needs to
follow this process:
1) Initially understand the risk of data-in-motion across the various protocols (Monitor only);
2) Just-in-time education can be introduced to users to mitigate risk (Monitor and Educate); and
BLOCK
AUDIT
ENCRYPTQUARANTINE
JUSTIFY
MOVE
DELETE
SHRED
RMS (DRM)COPY
NOTIFY
ALLOW
User Action Data Sensitivity User Identity
LOW HIGH
Enforce Security Controls Based on the Risk of a Violation
Defined in DLP Policy Manual
or Automated
RISK
Automating Crosswalk between SP 800 and the 20 Critical Controls 17
3) In the enforcement phase, an action such as automating encryption of sensitive data can be implemented. Also in the final phase, unauthorized encrypted data can be blocked to mitigate the exfiltration of sensitive data that was encrypted by APTs (Automate Action).
The following scenario is an example of just-in-time education when controlling
data-in-motion: A GIAC Enterprises employee just sent out an email containing a
sensitive cookie saying. When the network traffic is scanned by the DLP system, an alert
is sent to the employee saying the email they just sent possibly violates GIAC Enterprises
intellectual property policy. The alert would also include the policy itself and why this
email represents a violation. The employee is then given the option (in figure below) of
sending the email because they are sure this is not a policy violation, or not sending the
email at all. The action is logged, and the employee is educated just-in-time. If the
employee faces a similar experience in the future, the employee will likely make a better
decision, and therefore, reduce GIAC Enterprises’ risk level.
This section helps to automate sub-controls 17.2, 17.3, 17.5, 17.6, 17.9, 17.10
(CAG, 2011, pp. 61-62), and 15.4 (CAG, 2011, p. 55).
Risk Across: web protocols, emails,
IM, generic TCP/IP protocols
DISCOVER (Data-in-Motion)
EDUCATE(Data-in-Motion)
ENFORCE(Data-in-Motion)
?(Monitor Only)
Understand Risk
Users Just-in-Time Encryption, Blocking, etc.
Time
(Monitor & Educate) (Automate Action)
Reduce Risk
Process to Reach Automation (Data-in-Motion)
RISK
Automating Crosswalk between SP 800 and the 20 Critical Controls 18
5.6 Automating the Control of Data-at-Rest/Data-in-UseAt this stage, as well as the earlier stage of controlling data in motion, sensitive
data has been identified using techniques highlighted in section 5.4. Where the sensitive
data is, who has access to it, and how it is being used is still not clear at this point in time.
The risk exposure is therefore unknown. When these questions are answered, the risk
exposure becomes known. The focus of this section is to fix that by addressing how to
answer these important questions in an automated manner. Moving on with the same
theme (giving more attention to the people and process elements of DLP projects), GIAC
Enterprises needs to follow this process for automating the control of data-at-rest and
data-in-use:
1) Understand the risk of data-at-rest in all data stores. This requires scanning all data stores to identify where sensitive data is located. The tools available for this vary from open source tools such as OpenDLP, to commercial DLP tools. Once the location of sensitive data is identified, the next step is to know who has access to sensitive data, and whether they have a need-to-know. This other scanning operation is often performed using a different set of tools, some of which are free and gather ACLs of files and folders on network shares such as ShareEnum. Other tools may be built-in and monitor file activities, such as the Windows audit logging capability for files (Scanning);
2) Just-in-time education can be introduced to users to mitigate risk associated with sensitive data. As line-of-business becomes more educated, proper data governance policies can be defined (Monitor and Educate); and
3) In the enforcement phase, data governance policies can be implemented to further reduce risk. An action such as automating encryption of sensitive data at rest can be implemented. Also in this final phase, integration of DLP with other technologies, such as Digital Rights Management (DRM) tools can be leveraged. An integration example would be the automatic application of DRM controls on sensitive data when DLP senses the data is being copied to an external drive (Automate Action).
Automating Crosswalk between SP 800 and the 20 Critical Controls 19
For GIAC Enterprises, the cookie sayings intellectual property is likely scattered all
across the organization. At this stage, the line of business has defined what sensitive data
is and that is incorporated into DLP policies. The security/risk team now knows what it is
they are looking for. The scanning operations that take place in the discovery phase of the
above process will answer two important questions: 1) Where is the sensitive data?; and
2) Who has access to it? The answers to these two questions will help GIAC Enterprises
understand the risks associated with sensitive data (cookie sayings) at rest and in use. It is
definitely a challenge to locate sensitive data out of terabytes of data spread across
multiple sites. In fact, it resembles trying to locate gems in extremely long sandy shores.
Luckily, technology is available to overcome this problem, even in massive
environments. Scanning technology of commercial DLP vendors can transform existing
servers into a powerful cluster to scan terabytes of data in parallel with no additional
hardware. Using temporary software agents, sensitive data is identified in multiple
repositories such as file servers, endpoints, databases, and collaborative environments
such as Microsoft SharePoint. Monitoring incremental changes to data repositories is
possible to facilitate scanning on a regular basis. By bringing the scanning software to the
data, and not vice versa, it is possible to scan massive amounts of data without saturating
Risk across Data Permissions and Stores: File shares, databases, endpoints, repositories,
etc.
DISCOVER (Data-at-Rest/-in-
Use)
EDUCATE(Data-at-Rest/-in-
Use)
ENFORCE(Data-at-Rest/-in-
Use)
?(Scanning)
Understand Risk
Users Just-in-TimeData governance policy: Encryption, DRM, Block, Shred,
Log, etc.
Time
(Monitor & Educate) (Automate Action)
Reduce Risk
Process to Reach Automation (Data-at-Rest/-in-Use)
RISK
Automating Crosswalk between SP 800 and the 20 Critical Controls 20
the network. The figure below illustrates the architecture used to perform sensitive data
discovery in a multi-site environment, with multiple data repositories:
After using technology in the discovery phase to answer where sensitive data is,
one has a better understanding of risk. However, understanding the risk is only the first
half of the story. The second half is risk remediation and it is not trivial.
The second half of the story (risk remediation for sensitive data at rest) is around
defining the appropriate data governance policy and applying it so that files with
sensitive data content are properly protected. However, encrypting a file, moving it to a
more secured repository, or changing its permissions without involving the end users of
the file in the process can have a negative impact on any organization. The proper way to
address this challenge is to involve the line of business in the remediation process. The
benefit of this is that proper data governance policies can be defined for cookie sayings
and the business is not negatively impacted. The drawback is the duration of the risk
remediation process can significantly increase with emails, phone calls, and spreadsheets
going back and forth between the security/risk team and the line of business to properly
protect a large number of files located all around GIAC Enterprises.
The drawback described earlier is a workflow challenge, and can be overcome
using a proper risk management workflow module that automates risk remediation. This
Database
Software Agents
DLP Administrator
Main Data Center
Secondary Data Center
Remote Offices
SharePoint
Automating Crosswalk between SP 800 and the 20 Critical Controls 21
type of automation can be achieved by GRC tools; especially if these tools are integrated
with the scanning tools used to discover sensitive data, permissions, and file activity. The
module would enable the security/risk team to send remediation options and
questionnaires about the business context in an automated manner to the business owners.
This empowers the business users to take appropriate decisions about the sensitive files
they own. An example is the RSA DLP Risk Remediation Manager (RRM) solution as
follows:
Using such an automation approach for risk remediation of data-at-rest, can take
down the duration time of these activities from months to weeks. The benefit of the
automation approach is twofold:
The automation will allow just-in-time education to the line-of-business, which will facilitate the definition of the data governance policy, and improve future actions; and
The automation will significantly reduce the remediation time for data governance policy violations without negative business impact. This represents increasing the efficiency of a reactive control, and reduces the window of opportunity for APTs.
Data Loss Prevention
(DLP
SharePoint
Databases
Endpoints
NAS/SAN
Agents
Temp Agents
Grid
Virtual Grid
File Servers
Risk Remediation
Manager (RRM)RRM
File Activity Tools
GRC Systems
Apply DRM
Encrypt
Delete / Shred
Change Permissions
Policy Exception
Business Users
Discover Sensitive Data Manage Remediation
WorkflowApply
Controls
Automating Crosswalk between SP 800 and the 20 Critical Controls 22
This section helps to automate sub-controls 15.2, 15.3, 15.5, 15.6, 15.7 (CAG,
2011, pp. 55-56), 17.4, and 17.7 (CAG, 2011, p. 61).
6. Automation Approach for Critical Controls 4 and 5Critical controls 4 and 5 of the 20 Critical Controls state attackers exploit new
vulnerabilities on systems that lack critical patches and use malicious code to gain control
of target system which could allow for the capture of sensitive information such as
cooking sayings from GIAC Enterprises.
To fully understand what controls are best suited for the prevention and mitigation
of APTs, one first needs to understand the attack vector typically used.
Malware innovations have been driven by attackers’ quest to gain increasing
control of compromised systems and the networks in which they reside. In a recent
White paper sponsored by Imperva entitled, ‘Advanced Persistent Threat: Are You the
Next Target?,’ a nice diagram detailing the anatomy of an APT attack is presented as
follows (Bitpipe.com 2011):
Automating Crosswalk between SP 800 and the 20 Critical Controls 23
Considering the dynamics of the advanced malware infection lifecycle, the following illustrates another commonly adopted infection approach (Damballa, 2011):
1) Victim surfs to a website or clicks on email with link (e.g. phishing, drive-by
download);2) Browser is redirected to a malicious dropper site;3) Victim is misled into downloading the dropper - or dropper is automatically
downloaded through an exploit;4) Dropper unpacks on the Victim machine and runs;5) Dropper contacts a new site: UPDATE;6) UPDATE sends Command&Control (C&C) instructions;7) Dropper contacts C&C Site #1 with Victim identity details;8) C&C Site #1 sends encrypted malware with new C&C instructions. Might even
be ‘locked' to Victim machine;9) Malware is decrypted by Dropper and installed. Dropper may stay behind as false
evidence for investigators, or delete itself so that investigators believe that no in-fection has occurred; and
10) Malware contacts C&C Site #2. Sends passwords/data/etc. as encrypted payload.
Steps 8, 9, and 10 can repeat indefinitely, with the malware ‘evidence' and C&C
connection instructions changing constantly. The malware can be repurposed or told to
lay silent for prolonged periods of time.
As one can deduce from the above description of APTs, the client is the primary
target of the attackers. Through the use of social engineering, targeted spear phishing
emails are sent to known key users in an organization. A carefully crafted email entices
an unsuspecting victim to click on a malicious attachment that is enhanced to appear as a
typical file the user expects from the spoofed sender.
Automating Crosswalk between SP 800 and the 20 Critical Controls 24
Control 4 was chosen to help block the above threat vector by focusing on client-
based authenticated vulnerability scanning to include the presence or absence of key
patches and quickly remediate any found vulnerabilities. Control 5 was chosen to reduce
and remediate the effect malware has on APTs.
6.1 Exploiting the Absence of Critical Controls 4 and 5Any time new vulnerabilities are discovered and reported by security researchers
or vendors, attackers are quick to develop exploit code and immediately launch the
attack. Delays in finding or patching software with exploitable vulnerabilities provides
ample opportunity for persistent attackers to gain the critical foothold in the enterprise.
Without thoroughly scanning for vulnerabilities and addressing discovered flaws
proactively, leaves one open to system compromises. Also, malicious software is used to
target end users via web browsing, email attachments, mobile devices, and other vectors.
This code attempts to capture sensitive data, spreads it to other systems, as well as aims
to avoid signature-based and even disables anti-virus tools running on systems (CAG,
2011, pp. 23-26). John Pescatore, a distinguished Gartner analyst, said at a recent
Gartner Security and Risk Management Summit, “There is no such thing as the
unstoppable attack in cybersecurity. Every attack, in order to succeed, needs to exploit
avulnerability” (infosecurity.com, 2011). Without having a means to detect or prevent
malicious software from being installed and then establishing a command and control
channel, introduces risk to GIAC Enterprises that is unacceptable.
6.2 Focusing on the APTs, and the Threat Vectors through Continuous Monitoring
Whether attackers use viruses, Trojans, bots, or rootkits, today’s malware is
designed for the long-term control of compromised client machines. Advanced malware
also established outbound communications across several different protocols to upload
collected data and further download of malware payloads for additional criminal
purposes. One of the keys to protecting sensitive data is through the means of continuous
monitoring. This can include the aspect of verifying that systems are not susceptible to
well-known exploits through vulnerability assessments and being diligent in patch
management.
Automating Crosswalk between SP 800 and the 20 Critical Controls 25
The Risk Assessment (RA-3) and Vulnerability Scanning (RA-5) guidance
provided by NIST conforms to this concept. As shown in the workflow diagram below,
an assessment of risk is performed, document risk, review results, and then update risk
assessment. In regards to vulnerability scanning, a similar diagram is presented with a
continual cycle of scanning for vulnerabilities, analyzes of scan reports, remediate
legitimate vulnerabilities, correlate and share results to reduce systemic weaknesses or
deficiencies (SP 800-53 Revision 3, 2010, pp. F92-93).
Continuous monitoring is a crucial element in the Risk Management Framework
developed by NIST. NIST’s recently released SP 800-137, “Information Security
Continuous Monitoring for Federal Information Systems and Organizations,” defines
continuous monitoring as “maintaining ongoing awareness of information security,
Conduct Assessment of
Risk
Document Risk Assessment
Results
Review and Update Risk Assessment
Conduct Vulnerability
Scans
Analyze Vulnerability Scan Reports
Correlate and share results to reduce
systemic weaknesses or deficiencies.
Remediate Legitimate
Vulnerabilities
Workflow 1 - Risk Assessment
Workflow 2 – Vulnerability Scanning
Automating Crosswalk between SP 800 and the 20 Critical Controls 26
vulnerabilities, and threats to support organizational risk management decision” (SP 800-
137, 2011, p. vi). In addition, an organization’s overall security architecture and
accompanying security program are monitored to ensure that organization-wide
operations remain within an acceptable level or risk, despite any changes that occur.
Recent guidance from the Office of Management and Budget on FISMA reporting
emphasizes monitoring on an ongoing basis rather than periodic assessments (Jackson,
2011).
6.3 Control 4 - Automating Continuous Vulnerability Assessment and Remediation
Considering that any APTs always starts with a compromised system that was
vulnerable, a means to understanding what vulnerabilities exist and what patches are
available to remediate them is critical. This is where GIAC Enterprises can take positive
steps to protect and isolate themselves from easily prevented client-based exploits.
Research indicates that a limited number of exploits in just a handful of widely used
third-party applications are responsible for nearly all successful enterprise malware
infections on Windows clients. According to research released last September by the
research firm CSIS Security Group, a three-month study of real-time attack data showed
that as many as 85% of all virus infections occurred as a result of automated drive-by
attacks created with commercial exploit kits, and nearly all of them targeted the five
popular third-party applications – Java Runtime Environment (JRE), Adobe Flash, Adobe
Acrobat and Reader, Internet Explorer, and Apple QuickTime (Kruse, 2011). This
research provides additional credence to the focus of the Australian DSD findings.
Automated vulnerability scanning should run on all organizational assets on at
least a weekly basis. Anytime a new system is introduced to the network, a scan should
automatically occur. In addition, authenticated scans of known system types should
occur. For example, an administrative account should be established on all windows-
based systems and the vulnerability scans should incorporate the privilege of this account
when performing scans. This can be part of an enterprise solution incorporating agent-
based clients to facilitate the scans.
Scanning tools should scan for specific functionality, ports, protocols, and
services that should not be accessible to users or devices and for improperly configured
Automating Crosswalk between SP 800 and the 20 Critical Controls 27
systems. More importantly, modern scanners should determine if key operating system
as well as third-party applications patches are applied Mobile code technologies such as
Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript should be closely monitored, and perhaps, even restricted. Malware targeting
vulnerabilities in application layer software, as those mentioned above, needs to be
restricted by ensuring all application software is at the most current release. Perhaps it is
time to ban these dangerous third-party applications, as editorialized by Eric Parizo,
Senior Site Editor of SearchSecurity.com (Parizo, 2012)? If not completely ban the use
of third-party applications, consider implementing security controls such as removing
Java from the Internet zone in Internet Explorer, configuring Adobe Reader to prompt for
JavaScript execution, or disallowing embedded executables from running in PDFs.
Research by Dan Guido and the Exploit Intelligence Project has proven these steps to be
the most efficient (Guido, 2011).
These vulnerabilities should be expressed in an industry-recognized vulnerability,
configuration, and platform classification schemes. Also, languages such as Common
Vulnerabilities and Exposure (CVE) naming convention that uses the Open Vulnerability
Assessment Language (OVAL) to test for the existence of vulnerabilities. Other
excellent resources for vulnerability information can be found in the Common Weakness
Enumeration (CWE) and the National Vulnerability Database (NVD).
Correlating the existence of known vulnerabilities that can be easily remedied by
appropriate patching must be integrated into this process. By applying the known trifecta
associated with quality vulnerability scanning and remediation, GIAC Enterprises can hit
the ‘Sweet Spot’ to further reduce and eliminate easily exploitable holes.
Automating Crosswalk between SP 800 and the 20 Critical Controls 28
By reducing or eliminating known security risks in the computing environment,
GIAC Enterprises needs to follow this process for automating this critical control by:
1) Implement an automated approach to patching by utilizing solutions such as Microsoft Windows Update Service (WSUS) or other commercial management software for operating system and third-party software on all systems;
2) Identify, analyze, and remediate vulnerabilities by implementing an effective continuous vulnerability assessment program. All vulnerability scanning should be performed in authenticated mode either with agents running locally on each system to analyze the security configuration or with remote scanners that are given administrative rights on the client systems being tested;
3) Scanning tools should be tuned to identify changes over time on each client machine for both authorized and unauthorized services. This will assist in detecting backdoors that might have been created on a compromised system; and
4) Enlist senior management to provide effective incentives in the mitigation process by tracking the numbers of unmitigated, critical vulnerabilities for each group.
One known commercial example of this is from Tenable Network Security, Inc.,
(who recently announced its Nessus Vulnerability Scanner and SecurityCenter) which
now integrates with top patch management solutions, including Red Hat Network
Satellite Server, Microsoft Windows Server Update Services (WSUS), Microsoft System
Center Configuration Manager (SCCM), and VMware Go. The integration bridges the
gap between vulnerability management and patch management solutions
Automating Crosswalk between SP 800 and the 20 Critical Controls 29
(darkReading.com, 2011). This is a very viable solution to GIAC’s concerns of
preventing malicious software from entering their enterprise. It is critical to have a
strong vulnerability management and patch management strategy.
In addition, they recently published a white paper entitled, ‘Real-Time Auditing for SANS Consensus Audit Guidelines – Leveraging Asset-Based Configuration and Vulnerability analysis with Real-Time Event Management’ (Gula, Fennelly, 2011). This paper describes how their solutions can be leveraged to achieve compliance with the SANS Consensus Audit Guidelines (CAG) by ensuring that key assets are properly configured and monitored for security compliance. It is interesting to note how it can assist in the focus of Control 4. The following table referenced from the aforementioned white paper outlines the effectiveness in helping GIAC Enterprises in this critical application of reducing the exposed footprint for virus and malware attacks.
4. Continuous Vulnerability Assessment and Remediation
Interpretation It is important to monitor systems for vulnerabilities in as close to real time as possible. Penetration tests can discover vulnerabilities in the IT infrastructure, but they are only a snapshot in time. A system that is scanned one day and found to be free of vulnerabilities may be completely exploitable the next day.
Tenable Solu-tion
Tenable was founded on the belief that it is crucial to monitor sys-tems in a manner as close to real time as possible to ensure the orga-nization does not drift out of compliance over time. The greater the gap between monitoring cycles, the more likely it is for vulnerabili-ties to be undetected. To achieve this goal, Tenable offers several technologies that can be leveraged: > Nessus can perform rapid network scans. A typical vulnerability scan can take just a few minutes. With the SC, multiple Nessus scanners can be combined to perform load balanced network scans. > Nessus credential scans can be leveraged to perform highly accu-rate and rapid configuration and vulnerability audits. Credentialed scans also enumerate all UDP and TCP ports in just a few seconds. > The Passive Vulnerability Scanner (PVS) monitors all network traffic in real time to find new hosts, new vulnerabilities, and new applications. It scans for the same vulnerabilities detected by the Nessus scanner.
Automating Crosswalk between SP 800 and the 20 Critical Controls 30
This section helps to automate sub-controls 4.1, 4.2, 4.3, 4.4, 4.6, 4.7, and 4.8
(CAG, 2011, pp. 23-24).
6.4 Control 5 - Automating Continuous Monitoring of Malicious software and malware callbacks.
According to the most recent security threat report that Sophos published, they
reported that they analyzed 95,000 malware pieces every day, nearly doubling the amount
tracked the prior year. This accounts for one unique file every 0.9 seconds, 24 hours per
day, each day of the year (Sophos, 2011).
Attackers have developed ways to bypass outdated security techniques, such as
signatures, leaving businesses and consumers vulnerable to attack. Signature-based
technologies like IPS and antivirus software, both within perimeter and endpoint
solutions, are increasingly ineffective against this rapidly evolving, blended threat. In
fact, Bob Walder from Gartner reported, “Some IPS/IDS/Next-Generation firewalls
(NGFW) vendors are no better at handling evasions today than they were when they
released their original products” (Walder, 2010).
A common denominator to any malware delivery system is the human element.
Quoting from the book, Information Security Management Handbook, Sixth Edition, “It
is well recognized that the greatest information security danger to any organization is not
a particular process, technology, or equipment, rather it is the people who work within
the “system” that hide the inherent danger” (Tipon, Krause, 2007, Ch. 43). An educated
work force is also critical to combating malware.
With the sophisticated approach used by modern attackers to inject malware in an
organization, it is almost impossible to prevent systems from being compromised. A
process has to be in place to implement an incident response for when malware is
detected. This process has to be timely in order to quickly contain any infections that
have occurred. The efficiency of modern malware to gather propriety information and
transmit it back via encrypted channels is too alarming to ignore. A compromised system
has to be removed from the network as soon as possible through detection methods, then
eradicated and recovered following best-practice incident response procedures. NIST, in
Automating Crosswalk between SP 800 and the 20 Critical Controls 31
2005, introduces Special Publication 800-83 ‘Guide to Malware Incident Prevention and
Handling’. This publication provides recommendations for improving an organization’s
malware incident prevention measures. It also gives extensive recommendations for
enhancing an organization’s existing incident response capability so that it is better
prepared to handle malware incidents (Mell, 2005).
With the primary challenges businesses are facing today of zero-day and APT
attacks, GIAC Enterprises needs to follow this process for automating, and thus, reducing
the risk of data loss through malware infections by:
1) Implement basic and necessary malware protection. This includes both perimeter and endpoint solutions for Intrusion Prevention Systems (IPS) as well as antivirus/antimalware protection. Even though these typical signature-based solutions are increasingly not as effective, it still will prevent many infections from occurring. Host-based IPS (HIPS) can and should be implemented as another layer of protection. This can prevent known malware from infecting systems;
2) Train and educate users in the art of recognizing social engineering tactics. Conduct simulated, but real-world scenarios, such as sending targeted spear phishing email with a payload that reports successful installation back to IT management;
3) Configure laptops, workstations, and servers so that they will not auto-run content from USB, CD/DVDs, Firewire or other externally connectable sources;
4) Deploy network access control tools to verify security and patch-level compliance before granting access to network;
5) Implement a malware incident response process that quickly detects, contains, eradicates, and recovers malware infected hosts; and
6) Considering that the above recommendations might mitigate 80% of the risk to GIAC Enterprises, the remaining 20% is where the real challenge lies. With this in mind, advanced technology such as virtual inspection of executable malware and inspection engines that monitor malware infections in real time and identify and block communication from compromised systems to attackers command and control servers are needed.
Recognizing the importance of the GIAC Enterprises cookie sayings, a technology
needs to be recommended to compensate for the deficiencies just mentioned. In
Automating Crosswalk between SP 800 and the 20 Critical Controls 32
particular, how can one detect and prevent zero-day attacks? Is there a way to monitor
both inbound and outbound traffic to detect command and control sessions? One
commercial example of such technology is FireEye, which recently shared its five key
principles to designing an effective network-based defense. The five key principals
which GIAC Enterprises will focus on are (FireEye, p. 5):
1) Dynamic defenses to stop targeted, zero-day attacks;2) Real-time protection to block data exfiltration attempts;3) Integrated inbound and outbound filtering across protocols;4) Accurate, low false positive rates; and5) Global intelligence on advanced threats to protect the local network.
They have developed next-generation protection against stealth malware to
prevent data loss and intellectual property theft. A diagram depicting this technology is
included below (FireEye, pp. 6-8):
Another example of a commercial solution sensor is provided by Damballa
Failsafe (Damballa Failsafe, 2011). It fulfills GIAC Enterprises’ goal of monitoring
malware infections in real time by monitoring DNS, egress and proxy traffic, and utilize
multi-dimensional deep-packet inspection engines to correlate suspicious behaviors to
rapidly identify and isolate a breach by blocking the communication from compromised
endpoints to criminal C&C servers. The following diagram depicts this approach:
Automating Crosswalk between SP 800 and the 20 Critical Controls 33
This section helps to automate sub-controls 5.1, 5.2, 5.3, 5.5, 5.6, 5.7, 5.8, and 5.9
(CAG, 2011, pp. 26-27).
7. Recommended Risk-based Action PlanClearly APTs pose significant risks to GIAC Enterprises and other organizations.
This has led the Chief Legal Officer (CLO), and Chief Information Officer (CIO) for
GIAC Enterprises to express concern, since the organization has a responsibility to do
what is reasonable and prudent to protect the stakeholders. Therefore, a special team has
been assigned the task of analyzing requirements, and surveying available security
standards and guidelines such as ISO, NIST, the 20 Critical Controls, and the Australian
DSD 35 mitigating strategies. Appropriate research has also been conducted , and the
relationship between the various frameworks has been mapped out. In addition,
automation approaches have been developed for the most pressing controls from the point
of view of the assigned team. One of the results of this research is a risk-based action
plan for GIAC Enterprises to follow. The objective of this plan is to give tailored security
guidance advice. The recommended plan is based on the action plan laid out at the end of
the 20 Critical Controls – Consensus Audit Guidelines (CAG, 2011, p. 69), augmented
with steps the team believes is essential for the organization’s specific requirements.
Implementing all the 20 Critical Controls to the “advanced controls” level can take
Automating Crosswalk between SP 800 and the 20 Critical Controls 34
multiple years. To quickly mitigate risk, the team believes that once the “Quick Wins”
are implemented for the 20 Critical Controls, the focus should be on implementing
controls 4, 5, 15, 17 right away.
Action Plan:1) Conduct a gap assessment to compare the organization’s current security stance to
the detailed recommendations of the critical controls;2) Implement the “quick win” critical controls to address the gaps identified by the
assessment over the next one or two quarters;3) Implement critical controls numbers 4 and 5. Leverage the suggested automation
approaches included in this research. Reaching the “advanced controls” level is preferred, but not necessary;
4) Implement critical controls numbers 15 and 17. Leverage the suggested automation approaches included in this research. Reaching the “advanced controls” level is preferred, but not necessary;
5) Assign security personnel to analyze and understand how the remaining critical controls beyond quick wins, and controls: 4, 5, 15, 17 can be deployed;
6) For remaining controls, devise detailed plans to implement the “visibility and attribution” and “hardened configuration and improved information security hygiene” over the next year; and
7) Plan for the deployment of the “advanced controls” over the longer term, giving priority to controls: 4, 5, 15, and 17.
Automating Crosswalk between SP 800 and the 20 Critical Controls 35
8. ReferencesAlperovitch, D. et al (2011, August 2). Revealed: Operation Shady Rat. Retrieved from
http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat
Andress, J. (2011). Advanced Persistent Threat. ISSA Journal, 2011(June), 18-24.
Retrieved from https://www.issa.org/images/upload/files/Andress-Advanced
%20Persistent%20Threat.pdf
Baseline Standard of Due Care for Cybersecurity (2009, February, 23). U.S. Federal
Cybersecurity Experts Name Top 20 Controls. Retrieved December 22, 2011,
from http://
http://www.gilligangroupinc.com/headlines/2009/feb-23-related/20090223-cag-
press-release-pdf.html
Binde, B. et al (2011, May 22). Assessing outbound traffic to uncover advanced
persistent threat. Retrieved from http://www.sans.edu/student-files/projects/JWP-
Binde-McRee-OConnor.pdf
Bitpipe.com (2011, September 22). Advanced Persistent Threat: Are You the Next
Target? [White paper sponsored by Imperva]. Retrieved December 14, 2011,
from http://www.bitpipe.com/detail/RES/1316630992_836.html?
asrc=RSS_BP_TERM
Command Party Five Ltd. (2011, September 01). SK Hack by an Advanced Persistent
Threat. Retrieved from
http://www.commandfive.com/papers/C5_APT_SKHack.pdf
Consensus Audit Guidelines (CAG) Version 3.1 (2011, October 03). Twenty Critical
Security Controls for Effective Cyber Defense: Consensus Audit Guidelines
(CAG). Retrieved December 23, 2011 from http://www.sans.org/critical-security-
controls/cag3_1.pdf
Continuity Central – The international business continuity information portal. (2012,
January, 13). Twenty critical controls for effective cyber defense (U.K. Centre
for the Protection of National Infrastructure). Website retrieved January 14, 2012,
from http://continuitycentral.com/news06099.html
Coviello, A. (2011, March 18). Open Letter to RSA Customers. Retrieved December 22,
2011, from RSA.com: http://www.rsa.com/node.aspx?id=3872
Automating Crosswalk between SP 800 and the 20 Critical Controls 36
Damballa. (2011). Advanced Malware. Retrieved January 2, 2012, from
http://www.damballa.com/cyber-threats/advanced_malware.php
Damballa Failsafe. (2011). Damballa Failsafe 5.0 Demo. Retrieved January 2, 2012,
from http://www.damballa.com/solutions/damballa-failsafe-demo.php?
mkt_tok=3RkMMJWWfF9wsRokuKzPZKXonjHpfsX66OUkXaeg38431UFwdcj
KPmjr1YEIT9QhcOuuEwcWGog8xA1VGOGZcIE%3D
darkReading.com (2011, December 13). Tenable Network Security Offers Unique
Integration With Top Patch Management Solutions. Retrieved December 27,
2011, from
http://www.darkreding.com/taxonomy/index/printarticle/id/232300437
Dausin, M. (2010, September 16). Top Cyber Security Risks 2010. Retrieved from
http://dvlabs.tippingpoint.com/blog/2010/09/16/top-syber-security-risks-2010.
E-Government Act of 2002. (2002, December 17). Public Law 107-347. Retrieved
December 21, 2011, from website:
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?
dbname=107_cong_public_laws&docid=f:publ347.107.pdf
FIPS PUB 200. (2006, March 09). Federal Information Processing Standards 200 –
Announcing the Standard for Minimum Security Requirements for Federal
Information and Information Systems. Website retrieved December 21, 2011,
from http:// http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-
march.pdf
FireEye. (n.d.) 5 Design Principles for Advanced Malware Protection [White paper].
Retrieved December 27, 2011, from
http://docs.media.bitpipe.com/io_10x/io_100086/item_407114/FireEye_5DesignP
rinciples_wp.pdf
FISMA Implementation Project. (2009, June 12). FISMA Implementation Project.
Website retrieved December 21, 2011, from
http://www.nist.gov/itl/csd/sma/fisma.cfm
Guido, D. (2011, April 20) The Exploit Intelligence Project. Website retrieved January
28, 2012, from http://www.isecpartners.com/presentations/the-exploit-
Automating Crosswalk between SP 800 and the 20 Critical Controls 37
intelligence-project.html
Gula, R., & Fennelly, C. (2011, November 16). Real-Time Auditing for SANS
Consensus Audit Guidelines – Leveraging Asset-Based Configuration and
Vulnerability Analysis with Real-Time Event Management. Retrieved December
28, 2011 from
http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/uploads/
documents/whitepapers/tenable_SANS-CAG_compliance.pdf
InfoSecurity (2011, June 23). The Hype, and the Reality, Behind Advanced Persistent
Threats. Website retrieved December 27, 2011, from http://www.infosecurity-
magazine.com/view/18897/the-hype-and-the-reality-behind-advanced-persistent-
threats/
Jackson, W. (2011, October, 03). NIST offers a how-to for must-do continuous
monitoring. Website retrieved January 5, 2012, from
http://gcn.com/Articles/2011/10/03/NIST-continuous-monitoring-security.aspx?
Page=1
Kruse, P. (2011, September 27). This is how windows get infected by malware. Website
retrieved January 28, 2012, from http://www.csis.dk.en.csis/news/3321.
Lau, H. (2011, August 04). The Truth Behind the Shady Rat [Web log message].
Retrieved from http://www.symantec.com/connect/blogs/truth-behind-shady-rat
McClure, S. et al. (2010, March 03). Protecting Your Critical Assets: Lessons Learned
from “Operation Aurora” [White paper]. Retrieved December 22, 2011, from
McAfee.com: http://www.mcafee.com/us/resources/white-papers/wp-protecting-
critical-assets.pdf
Mell, P. et al. (2005, November 23). Special Publication 800-83 - Guide to Malware
Incident Prevention and Handling. Website retrieved January 30, 2012, from
http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
Parizo, E. (2012, January, 27). Time to ban dangerous apps? Exploring third-party app
security. Website retrieved January 27, 2012, from
http://searchsecurity.techtarget.com/opinion/Time-to-ban-dangerous-apps-
Exploring-third-party-app-security?asrc=EM_NLN_16192387&track=NL-
Automating Crosswalk between SP 800 and the 20 Critical Controls 38
105&ad=860220&
RSA Data Loss Prevention (DLP) Suite (2011, December 20). Retrieved from
http://www.rsa.com/node.aspx?id=3426
RSA Data Loss Prevention (DLP) Policy Workflow Manager (PWM) (2011, December
23). Retrieved from
http://www.rsa.com/products/DLP/ds/11436_DLPPWM_DS_0611.pdf
RSA Data Loss Prevention (DLP) Risk Remediation Manager (RRM) (2011, December
24). Retrieved from
http://www.rsa.com/products/DLP/ds/11435_DLPRRM_DS_0611.pdf
SANS Press Release. (2011, October 24). Australian Defence Signals Directorate wins
U.S. National Cybersecurity Innovation Award – Identifying and Implementing
the Four Key Controls That Stop the Spread of Targeted Cyber Intrusions.
Retrieved January 13, 2012, from http://www.sans.org/press/australian-defence-
signals-directorate-national-cybersecurity-award.php
Shook, S. et al. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”.
Retrieved from http://www.mcafee.com/in/resources/white-papers/wp-global-
energy-cyberattacks-night-dragon.pdf
Smith, M. (2011, February 27). NIST SP 800-53 Rev. 4 already in the works. Retrieved
December 22, 2011, from http:// http://netlocksmith.blogspot.com/2011/02/nist-
sp-800-53-rev-4-already-in-works.html
Sophos. (2011). Security threat report 2011 [White paper]. Retrieved from
http://www.sophos.com/medialibrary/Gated Assets/white
papers/sophossecuritythreatreport2011wpna.pdf
SP 800-137. (2011, September). NIST Special Publication 800-137 – Information
Security Continuous Monitoring (ISCM) for Federal Information Systems and
Organizations. Website retrieved January 5, 2012, from
http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf
SP 800-53 Revision 3. (2010, May 01). NIST Special Publication 800-53 Revision 3 –
Recommended Security Controls for Federal Information Systems and
Organizations. Website retrieved December 21, 2011, from
Automating Crosswalk between SP 800 and the 20 Critical Controls 39
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf.
Tipon, H. & Krause, M. (2007). Information security management handbook, sixth
edition. [Books24x7 version] Available from
http://common.books24x7.com/toc.aspx?bookid=26438
Walder, B. (2010, November 29). Advanced Evasion Technologies: Weapon of Mass
Destruction or Absolute Dud?. Retrieved December 29, 2011 from
http://www.stonesoft.com/export/download/partner_mat/advanced_evasion_techn
iques__209087.pdf
Automating Crosswalk between SP 800 and the 20 Critical Controls 40
9. APPENDIX
Appendix A: FIPS PUB 200 - Specifications for Minimum Security Requirements
Specifications Description
Access Control (AC)
Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
Awareness and Training (AT)
Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Audit and Accountability (AU)
Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Certification, Accreditation, and Security Assessments (CA)
Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and
Automating Crosswalk between SP 800 and the 20 Critical Controls 41
(iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Configuration Management (CM)
Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
Contingency Planning (CP)
Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
Identification and Authentication (IA)
Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Incident Response (IR)
Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
Maintenance (MA)
Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Media Protection (MP)
Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.
Automating Crosswalk between SP 800 and the 20 Critical Controls 42
Physical and Environmental Protection (PE)
Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
Planning (PL)
Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
Personnel Security (PS)
Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
Risk Assessment (RA)
Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
System and Services Acquisition
(SA)
Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
Automating Crosswalk between SP 800 and the 20 Critical Controls 43
System and Communications
Protection (SC)
Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
System and Information Integrity
(SI)
Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.
Automating Crosswalk between SP 800 and the 20 Critical Controls 44
Appendix B: Mapping between the 20 Critical Security Controls and National Institute of Standards and Technology Special Publication 800-53, Revision 3, Priority 1 Items
Control ReferencesCritical Control 1: Inventory of Authorized and Unauthorized Devices
CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6
Critical Control 2: Inventory of Authorized and Unauthorized Software
CM-1, CM-2 (2, 4, 5), CM-3, CM-5 (2, 7), CM-7 (1, 2), CM-8 (1, 2, 3, 4, 6), CM-9, PM-6, SA-6, SA-7
Critical Control 3: Secure Configurations for Hardware and Software
CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6
Critical Control 4: Continuous Vulnerability Assessment and Remediation RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)Critical Control 5: Malware Defenses SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)Critical Control 6: Application Software Security
CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10
Critical Control 7: Wireless Device Control
AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC-24, SI-4 (14, 15)
Critical Control 8: Data Recovery Capability
CP-9 (a, b, d, 1, 3), CP-10 (6)
Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
AT-1, AT-2 (1), AT-3 (1)
Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
AC-4 (7, 10, 11, 16), CM-1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3), IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9
Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5, 11, 12)
Critical Control 12: Controlled Use of Administrative Privileges
AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4)
Critical Control 13: Boundary Defense AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8, RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC-18, SI-4 (c, 1, 4, 5, 11), PM-7
Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Log
AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1, 2), AU-12 (2), SI-4 (8)
Critical Control 15: Controlled Access Based on the Need to Know
AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6, MP-3, RA-2 (a)
Critical Control 16: Account Monitoring and Control
AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3
Automating Crosswalk between SP 800 and the 20 Critical Controls 45
Critical Control 17: Data Loss Prevention
AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7
Critical Control 18: Incident Response Capability
IR-1, IR-2 (1), IR-4, IR-5, IR-6 (a), IR-8
Critical Control 19: Secure Network Engineering
IR-4 (2), SA-8, SC-7 (1, 13), SC-20, SC-21, SC-22, PM-7
Critical Control 20: Penetration Tests and Red Team Exercises
CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7)
Automating Crosswalk between SP 800 and the 20 Critical Controls 46
Appendix C: Mapping between the 20 Critical Security Controls and the Australian Government Defence Signals Directorate’s 35 Mitigation Strategies
Mitigation Strategy
Effectiveness Ranking
Mitigation Strategy
Matching Top 20 Critical Controls
1
Patch applications (e.g., PDF viewer, Flash Player, Microsoft Office and Java). Patch or mitigate within two days for high-risk vulnerabilities. Use the latest version of applications.
4.3
2Patch operating system vulnerabilities. Patch or mitigate within two days for high-risk vulnerabilities. Use the lat-est operating system version.
4.3
3Minimize the number of users with domain or local ad-ministrative privileges. Such users should use a separate unprivileged account for e-mail and web browsing.
19.1, 19.6
4
Application white listing to help prevent malicious soft-ware and other unapproved programs from running (e.g., by using Microsoft Software Restriction Policies or Ap-pLocker).
2.4
5Host-based intrusion detection/prevention system to identify anomalous behavior such as process injection, keystroke logging, driver loading, and call hooking.
8.1, 8.6
6White-listed email content filtering allowing only attach-ment types required for business functionality. Preferably convert/sanitize PDF and Microsoft Office attachments.
8.5
7
Block spoofed e-mails using sender policy framework checking of incoming e-mails, and a “hard fail” SPF record to help prevent spoofing of your organization’s domain.
12.5
8
User education (e.g., Internet threats and spear phishing socially engineered emails). Avoid weak pass phrases, pass phrase re-use, exposing e-mail addresses, unap-proved USB devices.
19.1, 17.1,17.2, 17.3,17.4, 17.5
9Web content filtering of incoming and outgoing traffic, using signatures, reputation ratings, and other heuristics, and white listing allowed types of web content.
12.1, 12.2,12.3
10Web domain white listing for all domains, since this ap-proach is more proactive and thorough than black listing a tiny percentage of malicious domains.
12.1, 12.7
11 Web domain whitelisting for HTTPS/SSL domains, since this approach is more proactive and thorough than black
12.1, 12.7
Automating Crosswalk between SP 800 and the 20 Critical Controls 47
listing a tiny percentage of malicious domains.
12Workstation inspection of Microsoft Office files for ab-normalities (e.g., using the Microsoft Office File Valida-tion feature).
8.1, 8.6
13Application-based workstation firewall, configured to deny traffic by default, to protect against malicious or otherwise unauthorized incoming network traffic.
3.3, 8.1, 5.1
14Application-based workstation firewall, configured to deny traffic by default, that white lists which applications are allowed to generate outgoing network traffic.
3.3, 8.1, 8.8,5.1
15
Network segmentation and segregation into security zones to protect sensitive information and critical ser-vices such as user authentication and user directory infor-mation.
10.8, 12.6,20.4, 11.1,
11.5
16
Multi-factor authentication especially implemented for when the user is about to perform a privileged action, or access a database or other sensitive information reposi-tory.
10.6, 19.11
17Randomized local administrator pass phrases that are unique and complex for all computers. Use domain group privileges instead of local administrator accounts.
19.1, 19.7
18Enforce a strong pass phrase policy covering complexity and length, and avoiding both pass phrase re-use and the use of dictionary words.
19.1, 19.8,13.7
19
Border gateway using an IPv6-capable firewall to pre-vent computers from directly accessing the Internet ex-cept via a split DNS server, an e-mail server, or an au-thenticated web proxy.
10.5, 12.7,11.3
20Data execution prevention using hardware and software mechanisms for all software applications that support DEP.
3.3
21
Anti-virus software with up-to-date signatures, reputation ratings, and other heuristic detection capabilities. Use gateway and desktop anti-virus software from different vendors.
8.1, 8.2, 8.5,8.6
22Nonpersistent, virtualized trusted operating environment with limited access to network file shares, for risky activ-ities such as reading e-mail and web browsing.
2.6
23Centralized and time-synchronized logging of allowed and blocked network activity, with regular log analysis, storing logs for at least 18 months.
7.1, 7.3, 7.5,7.6,
7.7
24Centralized and time-synchronized logging of successful and failed computer events, with regular log analysis, storing logs for at least 18 months.
7.1, 7.4, 7.5,7.6
25 Standard operating environment with unrequired operat-ing system functionality disabled (e.g., IPv6, autorun and
3.1, 3.2, 3.3,8.3
Automating Crosswalk between SP 800 and the 20 Critical Controls 48
Remote Desktop). Harden file and registry permissions.
26Workstation application security configuration hardening (e.g., disable unrequired features in PDF viewers, Microsoft Office applications, and web browsers).
3.1, 3.2, 3.3
27 Restrict access to NetBIOS services running on worksta-tions and on servers where possible. 20.3, 20.4
28
Server application security configuration hardening (e.g., databases, web applications, customer relationship man-agement, and other data storagesystems).
3.1, 3.2, 3.3
29
Removable and portable media control as part of a data loss prevention strategy, including storage, handling, white listing allowed USB devices, encryption, and de-struction.
8.3, 8.4, 9.7,9.8, 9.10
30
TLS encryption between e-mail servers to help prevent legitimate e-mails from being intercepted and used for social engineering. Perform content scanning after email traffic is decrypted.
20.4
31Disable LanMan password support and cached creden-tials on workstations and servers to make it harder for ad-versaries to crack password hashes.
3.1, 3.2, 3.3,19.5
32 Block attempts to access websites by their IP address in-stead of by their domain name. 12.1, 12.7
33
Network-based intrusion detection/prevention system us-ing signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter bound-aries.
12.2, 12.3
34
Gateway black listing to block access to known mali-cious domains and IP addresses, including dynamic and other domains provided free to anonymous Internet users.
12.1
35Full network traffic capture to perform post-incident analysis of successful intrusions, storing network traffic for at least the previous seven days.
12.4