Docstoc

Automation Approach for Critical Controls and

Document Sample
Automation Approach for Critical Controls and Powered By Docstoc
					Joint Written Project (JWP) Assignment




Automating Crosswalk between SP 800, the 20
Critical Controls, and the Australian Government
Defence Signals Directorate’s 35 Mitigating
Strategies



GIAC Enterprises




Authors:
Ahmed Abdel-Aziz
Robert Sorensen
February 2012
                          Automating Crosswalk between SP 800 and the 20 Critical Controls 2




                                                    Table of Contents
1. EXECUTIVE SUMMARY ...................................................................................................................... 3
2. INTRODUCTION .................................................................................................................................... 4
3. RELATIONSHIP BETWEEN SP 800, 20 CRITICAL CONTROLS, AND THE AUSTRALIAN
GOVERNMENT DSD’S 35 MITIGATING STRATEGIES .................................................................... 5
    3.1 SP 800 ................................................................................................................................................. 5
    3.2 20 CRITICAL SECURITY CONTROLS ...................................................................................................... 5
    3.3 AUSTRALIAN GOVERNMENT DEFENCE SIGNALS DIRECTORATE’S 35 MITIGATING STRATEGIES ......... 8
4. DEVELOPING APT-FOCUSED SECURITY GUIDANCE STRATEGY ......................................... 8
    4.1 ADVANCED PERSISTENT THREATS (APTS) ........................................................................................... 8
    4.2 RISK-BASED APPROACH ...................................................................................................................... 9
5. AUTOMATION APPROACH FOR CRITICAL CONTROLS 15 AND 17 ......................................12
    5.1 EXPLOITING THE ABSENCE OF CRITICAL CONTROLS 15 AND 17 ..........................................................12
    5.2 FOCUSING ON THE DATA .....................................................................................................................12
    5.3 ESTABLISHING A RISK-BASED DLP PROGRAM ....................................................................................13
    5.4 AUTOMATING DATA CLASSIFICATION AND POLICY DEFINITION .........................................................14
    5.5 AUTOMATING THE CONTROL OF DATA-IN-MOTION ............................................................................16
    5.6 AUTOMATING THE CONTROL OF DATA-AT-REST/DATA-IN-USE ..........................................................18
6. AUTOMATION APPROACH FOR CRITICAL CONTROLS 4 AND 5 ..........................................22
    6.1 EXPLOITING THE ABSENCE OF CRITICAL CONTROLS 4 AND 5 ..............................................................24
    6.2 FOCUSING ON THE APTS, AND THE THREAT VECTORS THROUGH CONTINUOUS MONITORING ..........24
    6.3 CONTROL 4 - AUTOMATING CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION ..........26
    6.4 CONTROL 5 - AUTOMATING CONTINUOUS MONITORING OF MALICIOUS SOFTWARE AND MALWARE
    CALLBACKS. ..............................................................................................................................................30

7. RECOMMENDED RISK-BASED ACTION PLAN ............................................................................33
8. REFERENCES ........................................................................................................................................35
9. APPENDIX ..............................................................................................................................................40
    APPENDIX A: FIPS PUB 200 - SPECIFICATIONS FOR MINIMUM SECURITY REQUIREMENTS .....................40
    APPENDIX B: MAPPING BETWEEN THE 20 CRITICAL SECURITY CONTROLS AND NATIONAL INSTITUTE OF
    STANDARDS AND TECHNOLOGY SPECIAL PUBLICATION 800-53, REVISION 3, PRIORITY 1 ITEMS .............44
    APPENDIX C: MAPPING BETWEEN THE 20 CRITICAL SECURITY CONTROLS AND THE AUSTRALIAN
    GOVERNMENT DEFENCE SIGNALS DIRECTORATE’S 35 MITIGATION STRATEGIES .....................................46
               Automating Crosswalk between SP 800 and the 20 Critical Controls 3



1. Executive Summary
        GIAC Enterprises is a small to medium sized growing business (1,000 employees)
with two data centers and 200 people in central business and IT. The GIAC Enterprises
Fortune Cookie sayings are a closely guarded secret and have come under attack from
competitors in the past. Recently, a security expert from a respected consultancy gave a
briefing on a topic titled, “Operation Shady RAT,” that outlined a scenario where many
corporations and government organizations were compromised routinely over a period of
five years (Alperovitch, 2011). This has prompted our organization to examine key
security investments, come up with sound advice regarding security strategy, and how to
implement that strategy.

         In making this recommendation, we reached out for guidance included in widely
recognized information security frameworks. Our analysis showed SANS’ Consensus
Audit Guidelines (CAG) reinforces and prioritizes some of the important elements put
forth in U.S. government documentation such as NIST SP 800-53. Furthermore, portions
of the CAG are reinforced by the Australian Government Defence Signals Directorate’s
(DSD) 35 strategies to mitigate targeted cyber intrusions. After reviewing the direct
mapping between the 20 critical controls and NIST SP 800-53, and DSD’s 35 strategies,
we adopted a security guidance strategy that is based on or designed to counter Advanced
Persistent Threats (APTs). APTs currently pose significant risks to GIAC Enterprises,
and it is likely the situation will stay that way for the foreseeable future. Therefore, our
risk-based security guidance strategy is information focused and gives special attention to
four security controls, which are geared well for attacks with APT characteristics. The
four security controls are: 1) Controlled Access based on the Need-to-Know; 2)
Continuous Vulnerability Assessment and Remediation; 3) Malware Defenses; and 4)
Data Loss Prevention (DLP).

        We have devised automation approaches for these four controls to facilitate
implementing them. We argue that more attention is needed to secure the data, and have
proposed a model for a DLP program. Therefore, we have developed an automation
approach for data classification and DLP policy definition. This was followed by
automation approaches to control data-in-motion, data-at-rest, and data-in-use. We knew
that for an attack to succeed, it will need to exploit a vulnerability. That is why we also
focused on reducing our attack surface by developing an automation approach for
continuous vulnerability assessment and remediation, as well as malware defenses.

        Finally, our research ends with a recommended action plan for GIAC Enterprises.
The objective of this action plan is to take the organization from its current security state,
to the desired security state, in a step-by-step fashion.
                Automating Crosswalk between SP 800 and the 20 Critical Controls 4



2. Introduction
        Advanced Persistent Threats (APTs) (Andress, 2011)! Operation Shady RAT
(Lau, 2011)! These are terms or references that just a few years ago would not have
raised an eyebrow. Today, they are well known and often overused buzzwords.
However, that does not change the nature of the threat that they have exposed. From the
highly visible case of “Operation Aurora,” where Google, Adobe, and dozens of other
companies came under attack in 2009 and 2010 from sources believed to be in China
(McClure, 2010), to the sophistication and stealth of the compromise of RSA intellectual
property (Coviello, 2011), major corporations have come under attack. What is to
prevent your enterprise from suffering the same fate?
        As reported in the Second Qualys annual report, modern-day attackers employ
organized, well written, and highly sophisticated exploit code to do their deeds (Dausin,
2010). To assist in counteracting the many assaults, one needs to take proactive steps to
manage risk and exposure. Guidance to help mitigate this risk has been provided as a
result of multiple initiatives. Examples of such initiatives are: Federal Information
Security Management Act (FISMA), the 20 Critical Security Controls, and the Australian
Government Defence Signals Directorate’s (DSD) 35 Mitigating Strategies. An
informative explanation follows to describe the relationship and synergy between these
specific three initiatives.
        In an effort to maximize the benefit of these initiatives with minimal resources,
one must target a subset of controls to initially implement. This idea of initially targeting
a subset of controls was proven successful by the Australian DSD, which will be covered
in more detail. This research is based on a similar targeting approach; however, the subset
of controls selected is a subset of the 20 Critical Controls. The development of a security
guidance strategy for GIAC Enterprises, as well as automation approaches for that
strategy will be explored in detail.
               Automating Crosswalk between SP 800 and the 20 Critical Controls 5


3. Relationship between SP 800, 20 Critical Controls, and
   the Australian Government DSD’s 35 Mitigating
   Strategies
3.1 SP 800

    Title III of the E-Government Act of 2002 (P.L. 107-347), authorized the Federal
Information Security Management Act (FISMA), was designed to strengthen information
security government wide (E-Government Act of 2002). The National Institute of
Standards and Technology (NIST) was tasked to develop, document, and implement an
organization-wide program to provide security for the information systems that support
its operations and assets. The result was the establishment of the FISMA Implementation
Project in January 2003 (FISMA Implementation Project, 2009). One of the key
publications that came from this effort is SP 800-53 - Recommended Security Controls
for Federal Information Systems and Organizations (SP 800-53 Revision 3, 2010). This
is designed to cover the steps in the Risk Management Framework that address security
control selection for federal information systems in accordance with the security
requirements in Federal Information Processing Standard (FIPS) 200. This standard
specifies the minimum security requirements in seventeen security-related areas and all
federal agencies must be in compliance with this standard (FIPS PUB 200, 2006, p. v).
       There are specifications outlined for the minimum security requirements which
can be found in Appendix A: FIPS PUB 200 - Specifications for Minimum Security
Requirements (FIPS PUB 200, 2006, p. 2-4).
    As noted, SP 800-53 is currently in its third revision. It will continue to be updated
to reflect the current state of information security to include guidance concerning insider
threats; software application security; social networking; mobile devices; cloud
computing; cross domain solutions; advanced persistent threat; supply chain security;
Industrial/process control systems; and privacy (Smith, 2011).

3.2 20 Critical Security Controls

       In early 2008, as a response to the extreme data losses experienced by leading
companies in the U.S. defense industrial base, a consortium of federal agencies and
               Automating Crosswalk between SP 800 and the 20 Critical Controls 6


private organizations developed Version 1.0 of the Consensus Audit Guidelines that
define the most critical security controls to protect federal and contractor information and
information systems (Baseline Standard of Due Care for Cybersecurity, 2009).
       This effort has continued to evolve, and the 20 Critical Security Controls, Version
3.1, was released in October 2011 (Consensus Audit Guidelines Version 3.1, 2011). The
effectiveness of this document is based on the knowledge of actual attacks and the
defensive techniques that are most important to counteract them. Contributors include
(CAG, 2011, p. 8):
                       Consensus Audit Guidelines Contributors
   1) Blue team members inside the Department of Defense (DoD) who are often called
       in when military commanders find their systems have been compromised and who
       perform initial incident response services on impacted systems.
   2) Blue team members who provide services for non-DoD government agencies that
       identify prior intrusions while conducting vulnerability assessment activities.
   3) US Computer Emergency Readiness Team staff and other nonmilitary incident
       response employees and consultants who are called upon by civilian agencies and
       companies to identify the most likely method by which systems and networks
       have been compromised.
   4) Military investigators who fight cyber crime.
   5) The FBI and other law enforcement organizations that investigate cyber crime.
   6) Cybersecurity experts at US Department of Energy laboratories and federally
       funded research and development centers.
   7) DoD and private forensics experts who analyze computers that have been infected
       to determine how the attackers penetrated the systems and what they did
       subsequently.
   8) Red team members inside the DoD tasked with finding ways of circumventing
       military cyber defenses during their exercises.
   9) Civilian penetration testers who test civilian government and commercial systems
       to determine how they can be penetrated, with the goal of better understanding
       risk and implementing better defenses.
   10) Federal CIOs and CISOs who have intimate knowledge of cyber attacks.

       The 20 Critical Controls include 15 controls that can be continuously monitored
and validated at least in part in an automated manner and five that must be validated
manually (CAG, 2011, p. 9-10).
  Critical Controls subject to automated collection, measurement, and validation:
   1) Inventory of Authorized and Unauthorized Devices
   2) Inventory of Authorized and Unauthorized Software
   3) Secure Configurations for Hardware and Software on Laptops, Workstations, and
       Servers
                Automating Crosswalk between SP 800 and the 20 Critical Controls 7


   4) Continuous Vulnerability Assessment and Remediation
   5) Malware Defenses
   6) Application Software Security
   7) Wireless Device Control
   8) Data Recovery Capability (validated manually)
   9) Security Skills Assessment and Appropriate Training to Fill Gaps (validated
      manually)
   10) Secure Configurations for Network Devices such as Firewalls, Routers, and
      Switches
   11) Limitation and Control of Network Ports, Protocols, and Services
   12) Controlled Use of Administrative Privileges
   13) Boundary Defense
   14) Maintenance, Monitoring, and Analysis of Security Audit Logs
   15) Controlled Access Based on the Need to Know
   16) Account Monitoring and Control
   17) Data Loss Prevention
   18) Incident Response Capability (validated manually)
   19) Secure Network Engineering (validated manually)
   20) Penetration Tests and Red Team Exercises (validated manually)

         As described in the document, there is a direct relationship to the U.S. Federal
Guidelines:
         The 20 Critical Controls are meant to reinforce and prioritize some of the
         most important elements of the guidelines, standards, and requirements
         put forth in other US government documentation, such as NIST Special
         Publication 800-53, SCAP, FDCC, FISMA, manageable network plans,
         and Department of Homeland Security software assurance documents.
         These guidelines do not conflict with such recommendations. In fact, the
         guidelines set forth are a proper subset of the recommendations of NIST
         Special Publication 800-53, designed so that organizations can focus on a
         specific set of actions associated with current threats and computer
         attacks they face every day (CAG, 2011, p. 12).

         The direct mapping between the 20 Critical Security Controls and NIST Special
Publication 800-53, Revision 3, Priority 1 items can be found in Appendix B.
        The U.K. Centre for the Protection of National Infrastructure (CPNI) recently
released a new guidance document detailing the Top Twenty Critical Security Controls.
These provide a baseline of high-priority information security measures and controls that
can be applied across an organization in order to improve its cyber defense. CPNI is
participating in an international government-industry effort to promote the top twenty
               Automating Crosswalk between SP 800 and the 20 Critical Controls 8


critical controls for computer and network security which is being coordinated by the
SANS Institute (Continuity Central, 2012).

3.3 Australian Government Defence Signals Directorate’s 35
    Mitigating Strategies

      In 2010, the Australian Defence Signals Directorate (DSD) developed a list of 35
prioritized mitigation strategies to defend networks and systems from cyber attack based
on the study of all known targeted intrusions against government systems, and articulated
what would have stopped the infections from spreading. The DSD updated and
reprioritized this list in 2011 and determined that at least 85% of the targeted cyber
intrusions could have been prevented by following the top four mitigation strategies.
Because of this ground-breaking directive of focusing on the top four controls and
implementing them, they received the 2011 U.S. National Cybersecurity Innovation
Award (SANS Press Release, 2011). The top four specific controls (nicknamed the
“sweet spot”) are:
      1) Patch applications such as PDF readers, Microsoft Office, Java, Flash
         Player and web browsers;
      2) Patch operating system vulnerabilities;
      3) Minimize the number of users with administrative privileges; and
      4) Use application whitelisting to help prevent malicious software and
         other unapproved programs from running.

      The DSD’s 35 Mitigating Strategies focus on individual tasks organizations can
undertake to improve their security stance. They are a focused subset of the 20 Critical
Controls with a direct mapping detailed in Appendix C: Mapping between the 20 Critical
Security Controls and the Australian Government Defense Signals Directorate’s 35
Mitigation Strategies (CAG, 2011, pp. 72-75).


4. Developing APT-focused Security Guidance Strategy
4.1 Advanced Persistent Threats (APTs)
       In the past few years, intelligence agencies and computer security vendors have
begun using the term Advanced Persistent Threats (APTs) to describe a series of cyber-
based attacks. The term, APTs, typically describes a foreign nation state government with
the advanced capability and persistence to commit cyber espionage (Binde, 2011).
               Automating Crosswalk between SP 800 and the 20 Critical Controls 9


Publicly, we have seen a majority of companies in every industry deal with significant
and costly attack vectors. In January 2010, the source code and intellectual property of
Google and at least 20 other companies in the high-tech industry and defense industrial
base were targeted and compromised during “Operation Aurora” (McClure, 2010). In
November 2009, “Operation Night Dragon” included a series of coordinated and targeted
attacks against the global oil and gas companies (Shook, 2011). Most recently, in the
“Operation Shady RAT" described attack, around 70 corporations and government
organizations were compromised routinely over a period of 5 years (Alperovitch, 2011).
      The above attacks included several commonalities. Routinely, the attackers used
previously unknown attack vectors known as zero-day attacks. Unsuspecting users
opening email attachments or browsing malicious websites introduced these attacks into
the victim network. Additionally, all of these attacks relied upon a remote command and
control channel to steal the data out of the infected networks. In most cases, the victims
compromised were eventually discovered only after virus researchers discovered the
attacker’s command and control servers (Command, 2011).

4.2 Risk-based Approach
      From SANS’ point of view, focusing on the 20 Critical Controls will help an
organization be prepared for the most important actual threats that exist in today’s world.
The 20 Critical Controls help organizations make better use of their limited security
resources, by using a prioritized set of overarching security controls. GIAC Enterprises
will highly benefit from fully adopting the 20 Critical Controls; however, fully adopting
these Critical Controls will take considerable time.
      Therefore, we argue that GIAC Enterprises would benefit most if it takes a risk-
based approach to initially implement only a subset of the 20 Critical Controls that
address its highest risks first. Afterwards, the remaining 20 Critical Controls can be
implemented. It is our belief that due to the nature of GIAC Enterprises’ business, and
being the world’s largest supplier of Fortune Cookie sayings, its intellectual property is a
target for theft. This makes APTs-related risks the highest at this point of time for GIAC
Enterprises. The initial focus should be on mitigating such risks. The next step of the
strategy is to apply the “offense-informs-defense” concept to determine which subset of
               Automating Crosswalk between SP 800 and the 20 Critical Controls 10


controls is better geared to mitigate APTs-related risks. To determine the appropriate
subset of controls, one would highly benefit from tapping in to the collective experience
of the 20 Critical Controls’ contributors, who are responsible for responding to actual
attacks or conducting red team exercises (CAG, 2011, pp. 8-9). Based on the
contributors’ first-hand knowledge of real world attacks and associated defenses, the
contributors included a table of attacks mapped to the most directly related control. That
table represents the foundation for selecting a subset of controls, which is based on the
“offense-informs-defense” concept.
      Reviewing the Attack Types table included in the 20 Critical Controls Consensus
Audit Guidelines’ Appendix (CAG, 2011, pp. 76-77), it is clear that four attacks stand out
as having APT characteristics. The same table suggests which critical control is most
appropriate for that attack. The four attacks and the related controls are included in the
table below:


                Attack Summary                        Most Directly Related Control
 Attackers exploit new vulnerabilities on
 systems that lack critical patches in
                                                           Critical Control 4:
 organizations that do not know that they are
                                                         Continuous Vulnerability
 vulnerable because they lack
                                                       Assessment and Remediation
 continuous vulnerability assessments and
 effective remediation
 Attackers use malicious code to gain and
 maintain control of target machines,
 capture sensitive data, and then spread it to               Critical Control 5:
 other systems, sometimes wielding                           Malware Defenses
 code that disables or dodges signature-based
 anti-virus tools
 Attackers gain access to sensitive documents in
                                                          Critical Control 15:
 an organization that does not properly identify
                                                     Controlled Access Based on the
 and protect sensitive or separate it from non-
                                                              Need-to-Know
 sensitive information
 Attackers gain access to internal enterprise
 systems to gather and exfiltrate                          Critical Control 17:
 sensitiveinformation, without detection by the         Data Loss Prevention (DLP)
 victim organization.

      The methodology described above for selecting a subset of controls led to the
selection of Critical Controls 4, 5, 15, and 17. A proper analysis would not be complete
                Automating Crosswalk between SP 800 and the 20 Critical Controls 11


without comparing this subset of controls to a statistically proven subset of controls such
as the one recommended by the Australian DSD. The Australian DSD determined that at
least 85% of targeted cyber intrusions could be prevented by implementing four specific
controls:
            1. Patch applications such as PDF readers, Microsoft Office, Java, Flash
               Player, and web browsers;
            2. Patch operating system vulnerabilities;
            3. Minimize the number of users with administrative privileges; and
            4. Use application white-listing to help prevent malicious software and other
               unapproved programs from running.

      It is the authors’ opinion that the subset of controls selected actually resonates with
the Australia DSD recommendation:
               Australia’s DSD Controls 1 and 2 are in line with selecting Control 4
                “Continuous Vulnerability Assessment and Remediation;”
                    Australia’s DSD Control 3 is in line with selecting Controls 15 and
                17 “Controlled Access Based on Need-to-Know, and DLP;” and
                    Australia’s DSD Control 4 is in line with selecting Control 5
                “Malware Defenses.”

      It is imperative that GIAC Enterprises protect its sensitive data -intellectual
property. The risk-based methodology used resulted in a subset of controls which are
rather unique in that they are information-focused, and not identical to statistically
supported work such as the systems-focused Australia DSD. Based on GIAC Enterprises’
need, and the recent shift in attention from securing networks, to securing systems, to
securing the data itself (CAG, 2011), we argue that GIAC Enterprises would benefit more
from adopting our recommended subset of controls. Perhaps future work based on this
research may provide evidence that this approach is more effective in securing
intellectual property.
      Therefore, the subset of the 20 Critical Controls to implement first for GIAC
Enterprises are: Controls 4, 5, 15, and 17. These controls lend themselves to automation,
and so the next sections of the paper will highlight some automation approaches for these
controls.
               Automating Crosswalk between SP 800 and the 20 Critical Controls 12


5. Automation Approach for Critical Controls 15 and 17
      Critical Controls 15 and 17 of the 20 Critical Controls state that data access is to be
controlled, and access to data should be on a need-to-know basis. In addition, data loss
prevention capabilities should be in place. Going back to the “offense-informs-defense”
theme, one needs to first understand how attackers exploit the absence of these controls,
before attempting to automate them.

5.1 Exploiting the Absence of Critical Controls 15 and 17
      Organizations often do not carefully identify and separate sensitive information
from publicly available information on their information systems. Because there is no
such separation between the two different types of information, internal users will have
access to all or most of the sensitive information. This makes it easy for attackers who
have penetrated the network to find and exfiltrate the sensitive information. What
compounds the problem further is that an organization may not be monitoring data
outflows to quickly detect such exfiltration. While some information is leaked as a result
of theft or espionage, the vast majority of such problems occur from poorly understood
data practices, lack of effective policy, and user error (CAG, 2011, p. 60). The loss of
control over sensitive information (such as cookie sayings intellectual property) is a
serious vulnerability, and introduces a high risk to GIAC Enterprises.

5.2 Focusing on the Data
      Over the last few years, there has been a noticeable shift in attention and
investment from securing the network to securing systems within the network, and to
securing the data itself (CAG, 2011). To be able to secure the sensitive data, one needs to
know what constitutes sensitive data. Two main types of sensitive data exist: Regulatory
Data, and Corporate Data.
               Automating Crosswalk between SP 800 and the 20 Critical Controls 13




          Sensitive                                      Sensitive
       Regulatory Data                                 Corporate Data

     • Credit card data                             • Intellectual property
     • Privacy data (PII)                           • Financial information
     • Health care information                      • Trade secrets



      Regulatory Data is found in many organizations. It takes the same form regardless
of which organization it is stored. On the flip side, Corporate Data is usually unique data
that differs from one organization to another. The unique property of Corporate Data
makes it more challenging to identify, control, and secure. The intellectual property of
GIAC Enterprises (cookie sayings) falls into the Corporate Data type of sensitive data.
      Controlling sensitive data can take place when the data is at rest (e.g., data storage),
when the data is in motion (e.g., network actions), and when the data is in use (e.g.,
endpoint actions). To facilitate controlling sensitive data, GIAC Enterprises need to
establish a proper Data Loss Prevention (DLP) program.


           Control                        Control                            Control
         Data-at-Rest                  Data-in-Motion                       Data-in-Use




5.3 Establishing a Risk-based DLP Program
      There are many publications in the market about how complex and expensive
(DLP) projects can get if not properly handled. It can be argued, a primary reason for
such perception, is a lack of importance to people and process in DLP projects. Rather
than considering DLP as a point product, one can benefit from considering DLP a
                 Automating Crosswalk between SP 800 and the 20 Critical Controls 14


 technology that helps build processes to prevent people from leaking sensitive data. To
 establish a proper DLP program for GIAC Enterprises, the following three-phased model
 is suggested:



            DLP Program Lifecycle Management                         (driven by risk-based
            policies)

                 DISCOVER                      EDUCATE                      ENFORCE


        Risk across the Infrastructure      End Users & Risk Teams           Security Controls




   ?
RISK
             Understand Risk
                                                  Reduce Risk

                                               Time
       Whether sensitive data is being controlled at rest, in use or in motion, this three-
 phased model will be used. The first step is to better understand risk by identifying
 sensitive data through a discovery process. The risk discovery phase can occur while data
 is in use, in motion, or at rest. The next step is where risk starts to be mitigated through
 education of both end users and risk teams. Finally, risk mitigation reaches its peak by
 enforcing effective security controls that don’t get in the way of business productivity.

 5.4 Automating Data Classification and Policy Definition
       For GIAC Enterprises, the cookie sayings intellectual property is the data that
 needs to be controlled. As described earlier, this represents sensitive data of type:
 Corporate Data. For technology to identify sensitive data through a discovery process, it
 needs to understand what sensitive data is. It would be optimum to just tell technology
 that sensitive data is any cookie saying; unfortunately, it is not that simple. If cookie
 sayings one day become part of Regulatory Data (e.g., credit card number), then
 technology can easily understand that cookie sayings are sensitive data.
               Automating Crosswalk between SP 800 and the 20 Critical Controls 15


      Data classification (defining data sensitivity) is a complex task, because only the
business owners know this information. The sensitivity of cookie sayings, as well as
other data, is dynamic and often varies by business function and time. It is a challenge for
security teams to define what data is sensitive and how it should be handled according to
policy. The logical approach is to involve the line of business in the process of data
classification and policy definition, but involving line of business is not trivial. An
effective way to address this challenge is by enabling the business owners to directly
define what data is sensitive (or what criteria makes data sensitive), and how the sensitive
data should be handled. To automate this challenge, a portal with a workflow engine can
be used to complete the operation. This type of automation can be achieved by
Governance, Risk, and Compliance (GRC) tools, if these tools are integrated with the
DLP technology being used. One example of such a solution is the RSA DLP Policy
Workflow Manager illustrated below:



                             +
                                         Step 1                                 Step 3
                                         Identify files & set                  DLP Policy is routed for
                                         business rules                         approval
  Business
  Managers




               Step 2                                                  Step 4
               Create DLP Policy &                                     Approve
               check for feasibility                                   d
     DLP                                                               DLP
    Admin                                                              policy




     End                               Policy applied across the organization
    Users

      It is important to point out that this stage is not about using a tool to go around and
locate sensitive data all across the organization. This stage is merely defining what is it
that we should look for, and when we find what we are looking for, how should it be
handled. This stage is about defining criteria and rules, and not about scanning. The
output of this stage is a set of risk-based DLP policies such as the following:
                Automating Crosswalk between SP 800 and the 20 Critical Controls 16


                       Enforce Security Controls Based on the Risk of a Violation

                          User Action              Data Sensitivity           User Identity




          Defined             LOW                          RISK                      HIGH

           in DLP
           Policy             ALLOW            QUARANTIN           MOVE            ENCRYPT     Manual
                                                   E                                              or
                              NOTIFY             JUSTIFY          BLOCK             SHRED     Automated


                               AUDIT             COPY             DELETE          RMS (DRM)



      Data sensitivity is one of three key elements constituting the risk level for a DLP
policy. For sake of simplicity, GIAC Enterprises can initially start with only two
classification levels: sensitive, and public. In the future, the classification levels can
possibly be extended to three levels: Secret, private, and public. A properly integrated
DLP and GRC solution represents an abstraction layer for the line of business to define
technical DLP policies. These policies will then be used to control data in motion, at rest,
or in use. This DLP and GRC integrated solution is technology that is helping to fill the
undesired gap of people and process in DLP projects.
      Using such an automation approach for data classification and DLP policy
definition can reduce the duration of these activities from weeks to days. This section
helps to automate sub-control 15.1, and lays the foundation for automating most sub-
controls of Critical Controls 15 and 17 (CAG, 2011, p. 55).

5.5 Automating the Control of Data-in-Motion
      People and process elements of DLP projects are often ignored. To address these
two elements when automating the control of data in motion, GIAC Enterprises needs to
follow this process:
          1) Initially understand the risk of data-in-motion across the various protocols
             (Monitor only);
          2) Just-in-time education can be introduced to users to mitigate risk (Monitor
             and Educate); and
                Automating Crosswalk between SP 800 and the 20 Critical Controls 17


           3) In the enforcement phase, an action such as automating encryption of
              sensitive data can be implemented. Also in the final phase, unauthorized
              encrypted data can be blocked to mitigate the exfiltration of sensitive data
              that was encrypted by APTs (Automate Action).



              Process to Reach Automation (Data-in-Motion)

             DISCOVER                       EDUCATE                     ENFORCE
          (Data-in-Motion)               (Data-in-Motion)            (Data-in-Motion)

               Risk Across:                 Users Just-in-Time          Encryption, Blocking,
         web protocols, emails, IM,                                             etc.
         generic TCP/IP protocols

  ?          (Monitor Only)                   (Monitor & Educate)             (Automate
RISK         Understand Risk Action)

                                                  Reduce Risk

                                           Time

       The following scenario is an example of just-in-time education when controlling
 data-in-motion: A GIAC Enterprises employee just sent out an email containing a
 sensitive cookie saying. When the network traffic is scanned by the DLP system, an alert
 is sent to the employee saying the email they just sent possibly violates GIAC Enterprises
 intellectual property policy. The alert would also include the policy itself and why this
 email represents a violation. The employee is then given the option (in figure below) of
 sending the email because they are sure this is not a policy violation, or not sending the
 email at all. The action is logged, and the employee is educated just-in-time. If the
 employee faces a similar experience in the future, the employee will likely make a better
 decision, and therefore, reduce GIAC Enterprises’ risk level.




       This section helps to automate sub-controls 17.2, 17.3, 17.5, 17.6, 17.9, 17.10
 (CAG, 2011, pp. 61-62), and 15.4 (CAG, 2011, p. 55).
                Automating Crosswalk between SP 800 and the 20 Critical Controls 18




5.6 Automating the Control of Data-at-Rest/Data-in-Use
      At this stage, as well as the earlier stage of controlling data in motion, sensitive
data has been identified using techniques highlighted in section 5.4. Where the sensitive
data is, who has access to it, and how it is being used is still not clear at this point in time.
The risk exposure is therefore unknown. When these questions are answered, the risk
exposure becomes known. The focus of this section is to fix that by addressing how to
answer these important questions in an automated manner. Moving on with the same
theme (giving more attention to the people and process elements of DLP projects), GIAC
Enterprises needs to follow this process for automating the control of data-at-rest and
data-in-use:
    1) Understand the risk of data-at-rest in all data stores. This requires scanning all
       data stores to identify where sensitive data is located. The tools available for this
       vary from open source tools such as OpenDLP, to commercial DLP tools. Once
       the location of sensitive data is identified, the next step is to know who has access
       to sensitive data, and whether they have a need-to-know. This other scanning
       operation is often performed using a different set of tools, some of which are free
       and gather ACLs of files and folders on network shares such as ShareEnum. Other
       tools may be built-in and monitor file activities, such as the Windows audit
       logging capability for files (Scanning);

    2) Just-in-time education can be introduced to users to mitigate risk associated with
       sensitive data. As line-of-business becomes more educated, proper data
       governance policies can be defined (Monitor and Educate); and

    3) In the enforcement phase, data governance policies can be implemented to further
       reduce risk. An action such as automating encryption of sensitive data at rest can
       be implemented. Also in this final phase, integration of DLP with other
       technologies, such as Digital Rights Management (DRM) tools can be leveraged.
       An integration example would be the automatic application of DRM controls on
       sensitive data when DLP senses the data is being copied to an external drive
       (Automate Action).
                Automating Crosswalk between SP 800 and the 20 Critical Controls 19




            Process to Reach Automation (Data-at-Rest/-in-Use)
             DISCOVER                EDUCATE             ENFORCE
        (Data-at-Rest/-in-Use) (Data-at-Rest/-in-Use) (Data-at-Rest/-in-
                                                            Use)
                                              Users Just-in-Time          Data governance
                Risk across Data
                                                                          policy: Encryption,
           Permissions and Stores:
                                                                        DRM, Block, Shred, Log,
           File shares, databases,

   ?
                                                                                  etc.
           endpoints, repositories,
                      etc.
               (Scanning)                (Monitor & Educate)           (Automate Action)
             Understand Risk
RISK                                              Reduce Risk


                                            Time

       For GIAC Enterprises, the cookie sayings intellectual property is likely scattered all
 across the organization. At this stage, the line of business has defined what sensitive data
 is and that is incorporated into DLP policies. The security/risk team now knows what it is
 they are looking for. The scanning operations that take place in the discovery phase of the
 above process will answer two important questions: 1) Where is the sensitive data?; and
 2) Who has access to it? The answers to these two questions will help GIAC Enterprises
 understand the risks associated with sensitive data (cookie sayings) at rest and in use. It is
 definitely a challenge to locate sensitive data out of terabytes of data spread across
 multiple sites. In fact, it resembles trying to locate gems in extremely long sandy shores.
 Luckily, technology is available to overcome this problem, even in massive
 environments. Scanning technology of commercial DLP vendors can transform existing
 servers into a powerful cluster to scan terabytes of data in parallel with no additional
 hardware. Using temporary software agents, sensitive data is identified in multiple
 repositories such as file servers, endpoints, databases, and collaborative environments
 such as Microsoft SharePoint. Monitoring incremental changes to data repositories is
 possible to facilitate scanning on a regular basis. By bringing the scanning software to the
 data, and not vice versa, it is possible to scan massive amounts of data without saturating
               Automating Crosswalk between SP 800 and the 20 Critical Controls 20


the network. The figure below illustrates the architecture used to perform sensitive data
discovery in a multi-site environment, with multiple data repositories:



                                                                                         Databa
                                                                                         se

                                                    Main Data
                                                     Center




       DLP Administrator                           Secondary                         SharePoint
                                                  Data Center




                Software Agents
                                                     Remote
                                                     Offices



      After using technology in the discovery phase to answer where sensitive data is,
one has a better understanding of risk. However, understanding the risk is only the first
half of the story. The second half is risk remediation and it is not trivial.
      The second half of the story (risk remediation for sensitive data at rest) is around
defining the appropriate data governance policy and applying it so that files with
sensitive data content are properly protected. However, encrypting a file, moving it to a
more secured repository, or changing its permissions without involving the end users of
the file in the process can have a negative impact on any organization. The proper way to
address this challenge is to involve the line of business in the remediation process. The
benefit of this is that proper data governance policies can be defined for cookie sayings
and the business is not negatively impacted. The drawback is the duration of the risk
remediation process can significantly increase with emails, phone calls, and spreadsheets
going back and forth between the security/risk team and the line of business to properly
protect a large number of files located all around GIAC Enterprises.
      The drawback described earlier is a workflow challenge, and can be overcome
using a proper risk management workflow module that automates risk remediation. This
                      Automating Crosswalk between SP 800 and the 20 Critical Controls 21


type of automation can be achieved by GRC tools; especially if these tools are integrated
with the scanning tools used to discover sensitive data, permissions, and file activity. The
module would enable the security/risk team to send remediation options and
questionnaires about the business context in an automated manner to the business owners.
This empowers the business users to take appropriate decisions about the sensitive files
they own. An example is the RSA DLP Risk Remediation Manager (RRM) solution as
follows:



          SharePoint

                         Grid                               Business Users

                                                                                        Apply DRM
          Databases

                          Virtual Grid                                                   Encrypt

                                   Data Loss            Risk Remediation              Delete / Shred
          NAS/SAN               Prevention (DLP          Manager (RRM)
                                                               RRM                  Change Permissions
                         Temp Agents

          File Servers
                                                  File Activity          GRC         Policy Exception
                                                      Tools             Systems
                    Agents



          Endpoints


               Discover Sensitive Data                 Manage Remediation                Apply
                                                           Workflow                     Controls



      Using such an automation approach for risk remediation of data-at-rest, can take
down the duration time of these activities from months to weeks. The benefit of the
automation approach is twofold:
                  The automation will allow just-in-time education to the line-of-business,
                   which will facilitate the definition of the data governance policy, and
                   improve future actions; and

                  The automation will significantly reduce the remediation time for data
                   governance policy violations without negative business impact. This
                   represents increasing the efficiency of a reactive control, and reduces the
                   window of opportunity for APTs.
               Automating Crosswalk between SP 800 and the 20 Critical Controls 22


      This section helps to automate sub-controls 15.2, 15.3, 15.5, 15.6, 15.7 (CAG,
2011, pp. 55-56), 17.4, and 17.7 (CAG, 2011, p. 61).


6. Automation Approach for Critical Controls 4 and 5
      Critical controls 4 and 5 of the 20 Critical Controls state attackers exploit new
vulnerabilities on systems that lack critical patches and use malicious code to gain control
of target system which could allow for the capture of sensitive information such as
cooking sayings from GIAC Enterprises.
      To fully understand what controls are best suited for the prevention and mitigation
of APTs, one first needs to understand the attack vector typically used.
      Malware innovations have been driven by attackers’ quest to gain increasing
control of compromised systems and the networks in which they reside. In a recent
White paper sponsored by Imperva entitled, ‘Advanced Persistent Threat: Are You the
Next Target?,’ a nice diagram detailing the anatomy of an APT attack is presented as
follows (Bitpipe.com 2011):
               Automating Crosswalk between SP 800 and the 20 Critical Controls 23


       Considering the dynamics of the advanced malware infection lifecycle, the
following illustrates another commonly adopted infection approach (Damballa, 2011):




   1) Victim surfs to a website or clicks on email with link (e.g. phishing, drive-by
       download);
   2) Browser is redirected to a malicious dropper site;
   3) Victim is misled into downloading the dropper - or dropper is automatically
       downloaded through an exploit;
   4) Dropper unpacks on the Victim machine and runs;
   5) Dropper contacts a new site: UPDATE;
   6) UPDATE sends Command&Control (C&C) instructions;
   7) Dropper contacts C&C Site #1 with Victim identity details;
   8) C&C Site #1 sends encrypted malware with new C&C instructions. Might even
       be ‘locked' to Victim machine;
   9) Malware is decrypted by Dropper and installed. Dropper may stay behind as false
       evidence for investigators, or delete itself so that investigators believe that no
       infection has occurred; and
   10) Malware contacts C&C Site #2. Sends passwords/data/etc. as encrypted payload.

       Steps 8, 9, and 10 can repeat indefinitely, with the malware ‘evidence' and C&C
connection instructions changing constantly. The malware can be repurposed or told to
lay silent for prolonged periods of time.
       As one can deduce from the above description of APTs, the client is the primary
target of the attackers. Through the use of social engineering, targeted spear phishing
emails are sent to known key users in an organization. A carefully crafted email entices
               Automating Crosswalk between SP 800 and the 20 Critical Controls 24


an unsuspecting victim to click on a malicious attachment that is enhanced to appear as a
typical file the user expects from the spoofed sender.
      Control 4 was chosen to help block the above threat vector by focusing on client-
based authenticated vulnerability scanning to include the presence or absence of key
patches and quickly remediate any found vulnerabilities. Control 5 was chosen to reduce
and remediate the effect malware has on APTs.

6.1 Exploiting the Absence of Critical Controls 4 and 5
       Any time new vulnerabilities are discovered and reported by security researchers
or vendors, attackers are quick to develop exploit code and immediately launch the
attack. Delays in finding or patching software with exploitable vulnerabilities provides
ample opportunity for persistent attackers to gain the critical foothold in the enterprise.
Without thoroughly scanning for vulnerabilities and addressing discovered flaws
proactively, leaves one open to system compromises. Also, malicious software is used to
target end users via web browsing, email attachments, mobile devices, and other vectors.
This code attempts to capture sensitive data, spreads it to other systems, as well as aims
to avoid signature-based and even disables anti-virus tools running on systems (CAG,
2011, pp. 23-26). John Pescatore, a distinguished Gartner analyst, said at a recent
Gartner Security and Risk Management Summit, “There is no such thing as the
unstoppable attack in cybersecurity. Every attack, in order to succeed, needs to exploit
avulnerability” (infosecurity.com, 2011). Without having a means to detect or prevent
malicious software from being installed and then establishing a command and control
channel, introduces risk to GIAC Enterprises that is unacceptable.

6.2 Focusing on the APTs, and the Threat Vectors through
    Continuous Monitoring
       Whether attackers use viruses, Trojans, bots, or rootkits, today’s malware is
designed for the long-term control of compromised client machines. Advanced malware
also established outbound communications across several different protocols to upload
collected data and further download of malware payloads for additional criminal
purposes. One of the keys to protecting sensitive data is through the means of continuous
monitoring. This can include the aspect of verifying that systems are not susceptible to
               Automating Crosswalk between SP 800 and the 20 Critical Controls 25


well-known exploits through vulnerability assessments and being diligent in patch
management.
       The Risk Assessment (RA-3) and Vulnerability Scanning (RA-5) guidance
provided by NIST conforms to this concept. As shown in the workflow diagram below,
an assessment of risk is performed, document risk, review results, and then update risk
assessment. In regards to vulnerability scanning, a similar diagram is presented with a
continual cycle of scanning for vulnerabilities, analyzes of scan reports, remediate
legitimate vulnerabilities, correlate and share results to reduce systemic weaknesses or
deficiencies (SP 800-53 Revision 3, 2010, pp. F92-93).




                           Review and                             Conduct
                           Update Risk                          Assessment of
                           Assessment                               Risk




                                             Document Risk
                                              Assessment
                                                Results


      Workflow 1 - Risk Assessment




                       Correlate and share                    Conduct
                        results to reduce                    Vulnerability
                            systemic
                                                                Scans
                         weaknesses or
                          deficiencies.




                        Remediate                               Analyze
                        Legitimate                           Vulnerability
                       Vulnerabilities                       Scan Reports




         Workflow 2 – Vulnerability Scanning
                Automating Crosswalk between SP 800 and the 20 Critical Controls 26


         Continuous monitoring is a crucial element in the Risk Management Framework
developed by NIST. NIST’s recently released SP 800-137, “Information Security
Continuous Monitoring for Federal Information Systems and Organizations,” defines
continuous monitoring as “maintaining ongoing awareness of information security,
vulnerabilities, and threats to support organizational risk management decision” (SP 800-
137, 2011, p. vi). In addition, an organization’s overall security architecture and
accompanying security program are monitored to ensure that organization-wide
operations remain within an acceptable level or risk, despite any changes that occur.
Recent guidance from the Office of Management and Budget on FISMA reporting
emphasizes monitoring on an ongoing basis rather than periodic assessments (Jackson,
2011).

6.3 Control 4 - Automating Continuous Vulnerability
    Assessment and Remediation
         Considering that any APTs always starts with a compromised system that was
vulnerable, a means to understanding what vulnerabilities exist and what patches are
available to remediate them is critical. This is where GIAC Enterprises can take positive
steps to protect and isolate themselves from easily prevented client-based exploits.
Research indicates that a limited number of exploits in just a handful of widely used
third-party applications are responsible for nearly all successful enterprise malware
infections on Windows clients. According to research released last September by the
research firm CSIS Security Group, a three-month study of real-time attack data showed
that as many as 85% of all virus infections occurred as a result of automated drive-by
attacks created with commercial exploit kits, and nearly all of them targeted the five
popular third-party applications – Java Runtime Environment (JRE), Adobe Flash, Adobe
Acrobat and Reader, Internet Explorer, and Apple QuickTime (Kruse, 2011). This
research provides additional credence to the focus of the Australian DSD findings.
         Automated vulnerability scanning should run on all organizational assets on at
least a weekly basis. Anytime a new system is introduced to the network, a scan should
automatically occur. In addition, authenticated scans of known system types should
occur. For example, an administrative account should be established on all windows-
based systems and the vulnerability scans should incorporate the privilege of this account
                Automating Crosswalk between SP 800 and the 20 Critical Controls 27


when performing scans. This can be part of an enterprise solution incorporating agent-
based clients to facilitate the scans.
        Scanning tools should scan for specific functionality, ports, protocols, and
services that should not be accessible to users or devices and for improperly configured
systems. More importantly, modern scanners should determine if key operating system
as well as third-party applications patches are applied Mobile code technologies such as
Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript should be closely monitored, and perhaps, even restricted. Malware targeting
vulnerabilities in application layer software, as those mentioned above, needs to be
restricted by ensuring all application software is at the most current release. Perhaps it is
time to ban these dangerous third-party applications, as editorialized by Eric Parizo,
Senior Site Editor of SearchSecurity.com (Parizo, 2012)? If not completely ban the use
of third-party applications, consider implementing security controls such as removing
Java from the Internet zone in Internet Explorer, configuring Adobe Reader to prompt for
JavaScript execution, or disallowing embedded executables from running in PDFs.
Research by Dan Guido and the Exploit Intelligence Project has proven these steps to be
the most efficient (Guido, 2011).
        These vulnerabilities should be expressed in an industry-recognized vulnerability,
configuration, and platform classification schemes. Also, languages such as Common
Vulnerabilities and Exposure (CVE) naming convention that uses the Open Vulnerability
Assessment Language (OVAL) to test for the existence of vulnerabilities. Other
excellent resources for vulnerability information can be found in the Common Weakness
Enumeration (CWE) and the National Vulnerability Database (NVD).
        Correlating the existence of known vulnerabilities that can be easily remedied by
appropriate patching must be integrated into this process. By applying the known trifecta
associated with quality vulnerability scanning and remediation, GIAC Enterprises can hit
the ‘Sweet Spot’ to further reduce and eliminate easily exploitable holes.
               Automating Crosswalk between SP 800 and the 20 Critical Controls 28




       By reducing or eliminating known security risks in the computing environment,
GIAC Enterprises needs to follow this process for automating this critical control by:

     1) Implement an automated approach to patching by utilizing solutions such as
        Microsoft Windows Update Service (WSUS) or other commercial management
        software for operating system and third-party software on all systems;
     2) Identify, analyze, and remediate vulnerabilities by implementing an effective
        continuous vulnerability assessment program. All vulnerability scanning should
        be performed in authenticated mode either with agents running locally on each
        system to analyze the security configuration or with remote scanners that are
        given administrative rights on the client systems being tested;
     3) Scanning tools should be tuned to identify changes over time on each client
        machine for both authorized and unauthorized services. This will assist in
        detecting backdoors that might have been created on a compromised system; and
     4) Enlist senior management to provide effective incentives in the mitigation
        process by tracking the numbers of unmitigated, critical vulnerabilities for each
        group.

        One known commercial example of this is from Tenable Network Security, Inc.,
(who recently announced its Nessus Vulnerability Scanner and SecurityCenter) which
now integrates with top patch management solutions, including Red Hat Network
Satellite Server, Microsoft Windows Server Update Services (WSUS), Microsoft System
Center Configuration Manager (SCCM), and VMware Go. The integration bridges the
gap between vulnerability management and patch management solutions
                  Automating Crosswalk between SP 800 and the 20 Critical Controls 29


(darkReading.com, 2011). This is a very viable solution to GIAC’s concerns of
preventing malicious software from entering their enterprise. It is critical to have a
strong vulnerability management and patch management strategy.
       In addition, they recently published a white paper entitled, ‘Real-Time Auditing
for SANS Consensus Audit Guidelines – Leveraging Asset-Based Configuration and
Vulnerability analysis with Real-Time Event Management’ (Gula, Fennelly, 2011). This
paper describes how their solutions can be leveraged to achieve compliance with the
SANS Consensus Audit Guidelines (CAG) by ensuring that key assets are properly
configured and monitored for security compliance. It is interesting to note how it can
assist in the focus of Control 4. The following table referenced from the aforementioned
white paper outlines the effectiveness in helping GIAC Enterprises in this critical
application of reducing the exposed footprint for virus and malware attacks.

 4. Continuous Vulnerability Assessment and Remediation

 Interpretation       It is important to monitor systems for vulnerabilities in as close to
                      real time as possible. Penetration tests can discover vulnerabilities in
                      the IT infrastructure, but they are only a snapshot in time. A system
                      that is scanned one day and found to be free of vulnerabilities may
                      be completely exploitable the next day.
 Tenable              Tenable was founded on the belief that it is crucial to monitor
 Solution             systems in a manner as close to real time as possible to ensure the
                      organization does not drift out of compliance over time. The greater
                      the gap between monitoring cycles, the more likely it is for
                      vulnerabilities to be undetected. To achieve this goal, Tenable offers
                      several technologies that can be leveraged:
                      > Nessus can perform rapid network scans. A typical vulnerability
                      scan can take just a few minutes. With the SC, multiple Nessus
                      scanners can be combined to perform load balanced network scans.
                      > Nessus credential scans can be leveraged to perform highly
                      accurate and rapid configuration and vulnerability audits.
                      Credentialed scans also enumerate all UDP and TCP ports in just a
                      few seconds.
                      > The Passive Vulnerability Scanner (PVS) monitors all network
                      traffic in real time to find new hosts, new vulnerabilities, and new
                      applications. It scans for the same vulnerabilities detected by the
                      Nessus scanner.
               Automating Crosswalk between SP 800 and the 20 Critical Controls 30


      This section helps to automate sub-controls 4.1, 4.2, 4.3, 4.4, 4.6, 4.7, and 4.8
(CAG, 2011, pp. 23-24).

6.4 Control 5 - Automating Continuous Monitoring of Malicious
    software and malware callbacks.
       According to the most recent security threat report that Sophos published, they
reported that they analyzed 95,000 malware pieces every day, nearly doubling the amount
tracked the prior year. This accounts for one unique file every 0.9 seconds, 24 hours per
day, each day of the year (Sophos, 2011).
       Attackers have developed ways to bypass outdated security techniques, such as
signatures, leaving businesses and consumers vulnerable to attack. Signature-based
technologies like IPS and antivirus software, both within perimeter and endpoint
solutions, are increasingly ineffective against this rapidly evolving, blended threat. In
fact, Bob Walder from Gartner reported, “Some IPS/IDS/Next-Generation firewalls
(NGFW) vendors are no better at handling evasions today than they were when they
released their original products” (Walder, 2010).
       A common denominator to any malware delivery system is the human element.
Quoting from the book, Information Security Management Handbook, Sixth Edition, “It
is well recognized that the greatest information security danger to any organization is not
a particular process, technology, or equipment, rather it is the people who work within
the “system” that hide the inherent danger” (Tipon, Krause, 2007, Ch. 43). An educated
work force is also critical to combating malware.
       With the sophisticated approach used by modern attackers to inject malware in an
organization, it is almost impossible to prevent systems from being compromised. A
process has to be in place to implement an incident response for when malware is
detected. This process has to be timely in order to quickly contain any infections that
have occurred. The efficiency of modern malware to gather propriety information and
transmit it back via encrypted channels is too alarming to ignore. A compromised system
has to be removed from the network as soon as possible through detection methods, then
eradicated and recovered following best-practice incident response procedures. NIST, in
2005, introduces Special Publication 800-83 ‘Guide to Malware Incident Prevention and
Handling’. This publication provides recommendations for improving an organization’s
               Automating Crosswalk between SP 800 and the 20 Critical Controls 31


malware incident prevention measures. It also gives extensive recommendations for
enhancing an organization’s existing incident response capability so that it is better
prepared to handle malware incidents (Mell, 2005).
       With the primary challenges businesses are facing today of zero-day and APT
attacks, GIAC Enterprises needs to follow this process for automating, and thus, reducing
the risk of data loss through malware infections by:

     1) Implement basic and necessary malware protection. This includes both
        perimeter and endpoint solutions for Intrusion Prevention Systems (IPS) as well
        as antivirus/antimalware protection. Even though these typical signature-based
        solutions are increasingly not as effective, it still will prevent many infections
        from occurring. Host-based IPS (HIPS) can and should be implemented as
        another layer of protection. This can prevent known malware from infecting
        systems;
     2) Train and educate users in the art of recognizing social engineering tactics.
        Conduct simulated, but real-world scenarios, such as sending targeted spear
        phishing email with a payload that reports successful installation back to IT
        management;
     3) Configure laptops, workstations, and servers so that they will not auto-run
        content from USB, CD/DVDs, Firewire or other externally connectable sources;
     4) Deploy network access control tools to verify security and patch-level
        compliance before granting access to network;
     5) Implement a malware incident response process that quickly detects, contains,
        eradicates, and recovers malware infected hosts; and
     6) Considering that the above recommendations might mitigate 80% of the risk to
        GIAC Enterprises, the remaining 20% is where the real challenge lies. With this
        in mind, advanced technology such as virtual inspection of executable malware
        and inspection engines that monitor malware infections in real time and identify
         and block communication from compromised systems to attackers command and
         control servers are needed.

       Recognizing the importance of the GIAC Enterprises cookie sayings, a technology
needs to be recommended to compensate for the deficiencies just mentioned. In
particular, how can one detect and prevent zero-day attacks? Is there a way to monitor
both inbound and outbound traffic to detect command and control sessions? One
               Automating Crosswalk between SP 800 and the 20 Critical Controls 32


commercial example of such technology is FireEye, which recently shared its five key
principles to designing an effective network-based defense. The five key principals
which GIAC Enterprises will focus on are (FireEye, p. 5):
   1)   Dynamic defenses to stop targeted, zero-day attacks;
   2)   Real-time protection to block data exfiltration attempts;
   3)   Integrated inbound and outbound filtering across protocols;
   4)   Accurate, low false positive rates; and
   5)   Global intelligence on advanced threats to protect the local network.

        They have developed next-generation protection against stealth malware to
prevent data loss and intellectual property theft. A diagram depicting this technology is
included below (FireEye, pp. 6-8):




         Another example of a commercial solution sensor is provided by Damballa
Failsafe (Damballa Failsafe, 2011). It fulfills GIAC Enterprises’ goal of monitoring
malware infections in real time by monitoring DNS, egress and proxy traffic, and utilize
multi-dimensional deep-packet inspection engines to correlate suspicious behaviors to
rapidly identify and isolate a breach by blocking the communication from compromised
endpoints to criminal C&C servers. The following diagram depicts this approach:
               Automating Crosswalk between SP 800 and the 20 Critical Controls 33




      This section helps to automate sub-controls 5.1, 5.2, 5.3, 5.5, 5.6, 5.7, 5.8, and 5.9
(CAG, 2011, pp. 26-27).



7. Recommended Risk-based Action Plan
      Clearly APTs pose significant risks to GIAC Enterprises and other organizations.
This has led the Chief Legal Officer (CLO), and Chief Information Officer (CIO) for
GIAC Enterprises to express concern, since the organization has a responsibility to do
what is reasonable and prudent to protect the stakeholders. Therefore, a special team has
been assigned the task of analyzing requirements, and surveying available security
standards and guidelines such as ISO, NIST, the 20 Critical Controls, and the Australian
DSD 35 mitigating strategies. Appropriate research has also been conducted , and the
relationship between the various frameworks has been mapped out. In addition,
automation approaches have been developed for the most pressing controls from the point
of view of the assigned team. One of the results of this research is a risk-based action
plan for GIAC Enterprises to follow. The objective of this plan is to give tailored security
guidance advice. The recommended plan is based on the action plan laid out at the end of
the 20 Critical Controls – Consensus Audit Guidelines (CAG, 2011, p. 69), augmented
with steps the team believes is essential for the organization’s specific requirements.
Implementing all the 20 Critical Controls to the “advanced controls” level can take
               Automating Crosswalk between SP 800 and the 20 Critical Controls 34


multiple years. To quickly mitigate risk, the team believes that once the “Quick Wins”
are implemented for the 20 Critical Controls, the focus should be on implementing
controls 4, 5, 15, 17 right away.
       Action Plan:
   1) Conduct a gap assessment to compare the organization’s current security stance to
      the detailed recommendations of the critical controls;
   2) Implement the “quick win” critical controls to address the gaps identified by the
      assessment over the next one or two quarters;
   3) Implement critical controls numbers 4 and 5. Leverage the suggested automation
      approaches included in this research. Reaching the “advanced controls” level is
      preferred, but not necessary;
   4) Implement critical controls numbers 15 and 17. Leverage the suggested
      automation approaches included in this research. Reaching the “advanced
      controls” level is preferred, but not necessary;
   5) Assign security personnel to analyze and understand how the remaining critical
      controls beyond quick wins, and controls: 4, 5, 15, 17 can be deployed;
   6) For remaining controls, devise detailed plans to implement the “visibility and
      attribution” and “hardened configuration and improved information security
      hygiene” over the next year; and
   7) Plan for the deployment of the “advanced controls” over the longer term, giving
      priority to controls: 4, 5, 15, and 17.
              Automating Crosswalk between SP 800 and the 20 Critical Controls 35



8. References
Alperovitch, D. et al (2011, August 2). Revealed: Operation Shady Rat. Retrieved from
       http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat
Andress, J. (2011). Advanced Persistent Threat. ISSA Journal, 2011(June), 18-24.
       Retrieved from https://www.issa.org/images/upload/files/Andress-
       Advanced%20Persistent%20Threat.pdf
Baseline Standard of Due Care for Cybersecurity (2009, February, 23). U.S. Federal
       Cybersecurity Experts Name Top 20 Controls. Retrieved December 22, 2011,
       from http:// http://www.gilligangroupinc.com/headlines/2009/feb-23-
       related/20090223-cag-press-release-pdf.html
Binde, B. et al (2011, May 22). Assessing outbound traffic to uncover advanced
       persistent threat. Retrieved from http://www.sans.edu/student-files/projects/JWP-
       Binde-McRee-OConnor.pdf
Bitpipe.com (2011, September 22). Advanced Persistent Threat: Are You the Next
       Target? [White paper sponsored by Imperva]. Retrieved December 14, 2011,
       from
       http://www.bitpipe.com/detail/RES/1316630992_836.html?asrc=RSS_BP_TERM
Command Party Five Ltd. (2011, September 01). SK Hack by an Advanced Persistent
       Threat. Retrieved from
       http://www.commandfive.com/papers/C5_APT_SKHack.pdf
Consensus Audit Guidelines (CAG) Version 3.1 (2011, October 03). Twenty Critical
       Security Controls for Effective Cyber Defense: Consensus Audit Guidelines
       (CAG). Retrieved December 23, 2011 from http://www.sans.org/critical-security-
       controls/cag3_1.pdf
Continuity Central – The international business continuity information portal. (2012,
       January, 13). Twenty critical controls for effective cyber defense (U.K. Centre
       for the Protection of National Infrastructure). Website retrieved January 14, 2012,
       from http://continuitycentral.com/news06099.html
Coviello, A. (2011, March 18). Open Letter to RSA Customers. Retrieved December 22,
       2011, from RSA.com: http://www.rsa.com/node.aspx?id=3872
              Automating Crosswalk between SP 800 and the 20 Critical Controls 36


Damballa. (2011). Advanced Malware. Retrieved January 2, 2012, from
       http://www.damballa.com/cyber-threats/advanced_malware.php
Damballa Failsafe. (2011). Damballa Failsafe 5.0 Demo. Retrieved January 2, 2012,
       from http://www.damballa.com/solutions/damballa-failsafe-
       demo.php?mkt_tok=3RkMMJWWfF9wsRokuKzPZKXonjHpfsX66OUkXaeg384
       31UFwdcjKPmjr1YEIT9QhcOuuEwcWGog8xA1VGOGZcIE%3D
darkReading.com (2011, December 13). Tenable Network Security Offers Unique
       Integration With Top Patch Management Solutions. Retrieved December 27,
       2011, from
       http://www.darkreding.com/taxonomy/index/printarticle/id/232300437
Dausin, M. (2010, September 16). Top Cyber Security Risks 2010. Retrieved from
       http://dvlabs.tippingpoint.com/blog/2010/09/16/top-syber-security-risks-2010.
E-Government Act of 2002. (2002, December 17). Public Law 107-347. Retrieved
       December 21, 2011, from website: http://frwebgate.access.gpo.gov/cgi-
       bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf
FIPS PUB 200. (2006, March 09). Federal Information Processing Standards 200 –
       Announcing the Standard for Minimum Security Requirements for Federal
       Information and Information Systems. Website retrieved December 21, 2011,
       from http:// http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-
       march.pdf
FireEye. (n.d.) 5 Design Principles for Advanced Malware Protection [White paper].
       Retrieved December 27, 2011, from
       http://docs.media.bitpipe.com/io_10x/io_100086/item_407114/FireEye_5DesignP
       rinciples_wp.pdf
FISMA Implementation Project. (2009, June 12). FISMA Implementation Project.
       Website retrieved December 21, 2011, from
       http://www.nist.gov/itl/csd/sma/fisma.cfm
Guido, D. (2011, April 20) The Exploit Intelligence Project. Website retrieved January
       28, 2012, from http://www.isecpartners.com/presentations/the-exploit-
       intelligence-project.html
                  Automating Crosswalk between SP 800 and the 20 Critical Controls 37


Gula, R., & Fennelly, C. (2011, November 16). Real-Time Auditing for SANS
       Consensus Audit Guidelines – Leveraging Asset-Based Configuration and
       Vulnerability Analysis with Real-Time Event Management. Retrieved December
       28, 2011 from
       http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/uploads/docu
       ments/whitepapers/tenable_SANS-CAG_compliance.pdf
InfoSecurity (2011, June 23). The Hype, and the Reality, Behind Advanced Persistent
       Threats. Website retrieved December 27, 2011, from http://www.infosecurity-
       magazine.com/view/18897/the-hype-and-the-reality-behind-advanced-persistent-
       threats/
Jackson, W. (2011, October, 03). NIST offers a how-to for must-do continuous
       monitoring. Website retrieved January 5, 2012, from
       http://gcn.com/Articles/2011/10/03/NIST-continuous-monitoring-
       security.aspx?Page=1
Kruse, P. (2011, September 27). This is how windows get infected by malware. Website
       retrieved January 28, 2012, from http://www.csis.dk.en.csis/news/3321.
Lau, H. (2011, August 04). The Truth Behind the Shady Rat [Web log message].
       Retrieved from http://www.symantec.com/connect/blogs/truth-behind-shady-rat
McClure, S. et al. (2010, March 03). Protecting Your Critical Assets: Lessons Learned
       from “Operation Aurora” [White paper]. Retrieved December 22, 2011, from
       McAfee.com: http://www.mcafee.com/us/resources/white-papers/wp-protecting-
       critical-assets.pdf
Mell, P. et al. (2005, November 23). Special Publication 800-83 - Guide to Malware
       Incident Prevention and Handling. Website retrieved January 30, 2012, from
       http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
Parizo, E. (2012, January, 27). Time to ban dangerous apps? Exploring third-party app
       security. Website retrieved January 27, 2012, from
       http://searchsecurity.techtarget.com/opinion/Time-to-ban-dangerous-apps-
       Exploring-third-party-app-security?asrc=EM_NLN_16192387&track=NL-
       105&ad=860220&
              Automating Crosswalk between SP 800 and the 20 Critical Controls 38


RSA Data Loss Prevention (DLP) Suite (2011, December 20). Retrieved from
       http://www.rsa.com/node.aspx?id=3426
RSA Data Loss Prevention (DLP) Policy Workflow Manager (PWM) (2011, December
       23). Retrieved from
       http://www.rsa.com/products/DLP/ds/11436_DLPPWM_DS_0611.pdf
RSA Data Loss Prevention (DLP) Risk Remediation Manager (RRM) (2011, December
       24). Retrieved from
       http://www.rsa.com/products/DLP/ds/11435_DLPRRM_DS_0611.pdf
SANS Press Release. (2011, October 24). Australian Defence Signals Directorate wins
       U.S. National Cybersecurity Innovation Award – Identifying and Implementing
       the Four Key Controls That Stop the Spread of Targeted Cyber Intrusions.
       Retrieved January 13, 2012, from http://www.sans.org/press/australian-defence-
       signals-directorate-national-cybersecurity-award.php
Shook, S. et al. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”.
       Retrieved from http://www.mcafee.com/in/resources/white-papers/wp-global-
       energy-cyberattacks-night-dragon.pdf
Smith, M. (2011, February 27). NIST SP 800-53 Rev. 4 already in the works. Retrieved
       December 22, 2011, from http:// http://netlocksmith.blogspot.com/2011/02/nist-
       sp-800-53-rev-4-already-in-works.html
Sophos. (2011). Security threat report 2011 [White paper]. Retrieved from
       http://www.sophos.com/medialibrary/Gated Assets/white
       papers/sophossecuritythreatreport2011wpna.pdf
SP 800-137. (2011, September). NIST Special Publication 800-137 – Information
       Security Continuous Monitoring (ISCM) for Federal Information Systems and
       Organizations. Website retrieved January 5, 2012, from
       http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf
SP 800-53 Revision 3. (2010, May 01). NIST Special Publication 800-53 Revision 3 –
       Recommended Security Controls for Federal Information Systems and
       Organizations. Website retrieved December 21, 2011, from
       http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
       final_updated-errata_05-01-2010.pdf.
              Automating Crosswalk between SP 800 and the 20 Critical Controls 39


Tipon, H. & Krause, M. (2007). Information security management handbook, sixth
       edition. [Books24x7 version] Available from
       http://common.books24x7.com/toc.aspx?bookid=26438
Walder, B. (2010, November 29). Advanced Evasion Technologies: Weapon of Mass
       Destruction or Absolute Dud?. Retrieved December 29, 2011 from
       http://www.stonesoft.com/export/download/partner_mat/advanced_evasion_techn
       iques__209087.pdf
             Automating Crosswalk between SP 800 and the 20 Critical Controls 40



9. APPENDIX

Appendix A: FIPS PUB 200 - Specifications for Minimum
   Security Requirements

          Specifications                               Description
                                     Organizations must limit information system
                                     access to authorized users, processes acting on
                                     behalf of authorized users, or devices (including
       Access Control (AC)
                                     other information systems) and to the types of
                                     transactions and functions that authorized users
                                     are permitted to exercise.
                                     Organizations must: (i) ensure that managers
                                     and users of organizational information systems
                                     are made aware of the security risks associated
                                     with their activities and of the applicable laws,
                                     Executive Orders, directives, policies,
                                     standards, instructions, regulations, or
  Awareness and Training (AT)
                                     procedures related to the security of
                                     organizational information systems; and (ii)
                                     ensure that organizational personnel are
                                     adequately trained to carry out their assigned
                                     information security-related duties and
                                     responsibilities.
                                     Organizations must: (i) create, protect, and
                                     retain information system audit records to the
                                     extent needed to enable the monitoring,
                                     analysis, investigation, and reporting of
  Audit and Accountability (AU)      unlawful, unauthorized, or inappropriate
                                     information system activity; and (ii) ensure that
                                     the actions of individual information system
                                     users can be uniquely traced to those users so
                                     they can be held accountable for their actions.
                                     Organizations must: (i) periodically assess the
                                     security controls in organizational information
                                     systems to determine if the controls are
                                     effective in their application; (ii) develop and
 Certification, Accreditation, and   implement plans of action designed to correct
   Security Assessments (CA)         deficiencies and reduce or eliminate
                                     vulnerabilities in organizational information
                                     systems; (iii) authorize the operation of
                                     organizational information systems and any
                                     associated information system connections; and
            Automating Crosswalk between SP 800 and the 20 Critical Controls 41


                                    (iv) monitor information system security
                                    controls on an ongoing basis to ensure the
                                    continued effectiveness of the controls.
                                    Organizations must: (i) establish and maintain
                                    baseline configurations and inventories of
                                    organizational information systems (including
                                    hardware, software, firmware, and
                                    documentation) throughout the respective
Configuration Management (CM)
                                    system development life cycles; and (ii)
                                    establish and enforce security configuration
                                    settings for information technology products
                                    employed in organizational information
                                    systems.
                                    Organizations must establish, maintain, and
                                    effectively implement plans for emergency
                                    response, backup operations, and post-disaster
  Contingency Planning (CP)         recovery for organizational information systems
                                    to ensure the availability of critical information
                                    resources and continuity of operations in
                                    emergency situations.
                                    Organizations must identify information system
                                    users, processes acting on behalf of users, or
Identification and Authentication   devices and authenticate (or verify) the
               (IA)                 identities of those users, processes, or devices,
                                    as a prerequisite to allowing access to
                                    organizational information systems.
                                    Organizations must: (i) establish an operational
                                    incident handling capability for organizational
                                    information systems that includes adequate
                                    preparation, detection, analysis, containment,
     Incident Response (IR)
                                    recovery, and user response activities; and (ii)
                                    track, document, and report incidents to
                                    appropriate organizational officials and/or
                                    authorities.
                                    Organizations must: (i) perform periodic and
                                    timely maintenance on organizational
                                    information systems; and (ii) provide effective
       Maintenance (MA)
                                    controls on the tools, techniques, mechanisms,
                                    and personnel used to conduct information
                                    system maintenance.
                                    Organizations must: (i) protect information
                                    system media, both paper and digital; (ii) limit
                                    access to information on information system
     Media Protection (MP)
                                    media to authorized users; and (iii) sanitize or
                                    destroy information system media before
                                    disposal or release for reuse.
           Automating Crosswalk between SP 800 and the 20 Critical Controls 42


                                   Organizations must: (i) limit physical access to
                                   information systems, equipment, and the
                                   respective operating environments to authorized
                                   individuals; (ii) protect the physical plant and
 Physical and Environmental        support infrastructure for information systems;
       Protection (PE)             (iii) provide supporting utilities for information
                                   systems; (iv) protect information systems
                                   against environmental hazards; and (v) provide
                                   appropriate environmental controls in facilities
                                   containing information systems.
                                   Organizations must develop, document,
                                   periodically update, and implement security
                                   plans for organizational information systems
        Planning (PL)              that describe the security controls in place or
                                   planned for the information systems and the
                                   rules of behavior for individuals accessing the
                                   information systems.
                                   Organizations must: (i) ensure that individuals
                                   occupying positions of responsibility within
                                   organizations (including third-party service
                                   providers) are trustworthy and meet established
                                   security criteria for those positions; (ii) ensure
    Personnel Security (PS)        that organizational information and information
                                   systems are protected during and after personnel
                                   actions such as terminations and transfers; and
                                   (iii) employ formal sanctions for personnel
                                   failing to comply with organizational security
                                   policies and procedures.

                                   Organizations must periodically assess the risk
                                   to organizational operations (including mission,
                                   functions, image, or reputation), organizational
    Risk Assessment (RA)           assets, and individuals, resulting from the
                                   operation of organizational information systems
                                   and the associated processing, storage, or
                                   transmission of organizational information.
                                   Organizations must: (i) allocate sufficient
                                   resources to adequately protect organizational
                                   information systems; (ii) employ system
                                   development life cycle processes that
System and Services Acquisition
                                   incorporate information security considerations;
             (SA)                  (iii) employ software usage and installation
                                   restrictions; and (iv) ensure that third-party
                                   providers employ adequate security measures to
                                   protect information, applications, and/or
                                   services outsourced from the organization.
           Automating Crosswalk between SP 800 and the 20 Critical Controls 43


                                   Organizations must: (i) monitor, control, and
                                   protect organizational communications (i.e.,
                                   information transmitted or received by
                                   organizational information systems) at the
  System and Communications
                                   external boundaries and key internal boundaries
        Protection (SC)            of the information systems; and (ii) employ
                                   architectural designs, software development
                                   techniques, and systems engineering principles
                                   that promote effective information security
                                   within organizational information systems.
                                   Organizations must: (i) identify, report, and
                                   correct information and information system
                                   flaws in a timely manner; (ii) provide protection
System and Information Integrity
                                   from malicious code at appropriate locations
              (SI)                 within organizational information systems; and
                                   (iii) monitor information system security alerts
                                   and advisories and take appropriate actions in
                                   response.
              Automating Crosswalk between SP 800 and the 20 Critical Controls 44


Appendix B: Mapping between the 20 Critical Security Controls
   and National Institute of Standards and Technology Special
   Publication 800-53, Revision 3, Priority 1 Items

                  Control                                  References
Critical Control 1: Inventory of           CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6
Authorized and Unauthorized Devices
Critical Control 2: Inventory of           CM-1, CM-2 (2, 4, 5), CM-3, CM-5 (2, 7),
Authorized and Unauthorized Software       CM-7 (1, 2), CM-8 (1, 2, 3, 4, 6), CM-9,
                                           PM-6, SA-6, SA-7
Critical Control 3: Secure                 CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3),
Configurations for Hardware and            CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1
Software                                   (a), SA-4 (5), SI-7 (3), PM-6
Critical Control 4: Continuous
Vulnerability Assessment and Remediation   RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)
Critical Control 5: Malware Defenses       SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)
Critical Control 6: Application Software   CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8,
Security                                   SI-3, SI-10
Critical Control 7: Wireless Device        AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC-
Control                                    24, SI-4 (14, 15)
Critical Control 8: Data Recovery          CP-9 (a, b, d, 1, 3), CP-10 (6)
Capability
Critical Control 9: Security Skills        AT-1, AT-2 (1), AT-3 (1)
Assessment and Appropriate Training to
Fill Gaps
Critical Control 10: Secure                AC-4 (7, 10, 11, 16), CM-1, CM-2 (1),
Configurations for Network Devices         CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7
such as Firewalls, Routers, and Switches   (1, 3), IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7
                                           (2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9
Critical Control 11: Limitation and        CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5,
Control of Network Ports, Protocols, and   11, 12)
Services
Critical Control 12: Controlled Use of     AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4)
Administrative Privileges
Critical Control 13: Boundary Defense      AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8,
                                           RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC-18,
                                           SI-4 (c, 1, 4, 5, 11), PM-7
Critical Control 14: Maintenance,          AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2),
Monitoring, and Analysis of Security       AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9
Audit Log                                  (1, 2), AU-12 (2), SI-4 (8)
Critical Control 15: Controlled Access     AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6,
Based on the Need to Know                  MP-3, RA-2 (a)
Critical Control 16: Account Monitoring    AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3
and Control
              Automating Crosswalk between SP 800 and the 20 Critical Controls 45


Critical Control 17: Data Loss            AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10),
Prevention                                SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7
Critical Control 18: Incident Response    IR-1, IR-2 (1), IR-4, IR-5, IR-6 (a), IR-8
Capability
Critical Control 19: Secure Network       IR-4 (2), SA-8, SC-7 (1, 13), SC-20, SC-
Engineering                               21, SC-22, PM-7
Critical Control 20: Penetration Tests    CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4,
and Red Team Exercises                    9), SA-12 (7)
                Automating Crosswalk between SP 800 and the 20 Critical Controls 46


Appendix C: Mapping between the 20 Critical Security Controls
   and the Australian Government Defence Signals
   Directorate’s 35 Mitigation Strategies

 Mitigation                                                                    Matching
  Strategy                                                                      Top 20
                                    Mitigation Strategy
Effectiveness                                                                  Critical
  Ranking                                                                      Controls
                 Patch applications (e.g., PDF viewer, Flash Player,
                 Microsoft Office and Java). Patch or mitigate within two
     1                                                                            4.3
                 days for high-risk vulnerabilities. Use the latest version
                 of applications.
                 Patch operating system vulnerabilities. Patch or mitigate
                                                                                  4.3
     2           within two days for high-risk vulnerabilities. Use the
                 latest operating system version.
                 Minimize the number of users with domain or local
                 administrative privileges. Such users should use a
     3                                                                         19.1, 19.6
                 separate unprivileged account for e-mail and web
                 browsing.
                 Application white listing to help prevent malicious
                 software and other unapproved programs from running
     4                                                                            2.4
                 (e.g., by using Microsoft Software Restriction Policies or
                 AppLocker).
                 Host-based intrusion detection/prevention system to
     5           identify anomalous behavior such as process injection,         8.1, 8.6
                 keystroke logging, driver loading, and call hooking.
                 White-listed email content filtering allowing only
                 attachment types required for business functionality.
     6                                                                            8.5
                 Preferably convert/sanitize PDF and Microsoft Office
                 attachments.
                 Block spoofed e-mails using sender policy framework
                 checking of incoming e-mails, and a “hard fail” SPF
     7                                                                            12.5
                 record to help prevent spoofing of your organization’s
                 domain.
                 User education (e.g., Internet threats and spear phishing
                                                                               19.1, 17.1,
                 socially engineered emails). Avoid weak pass phrases,
     8                                                                         17.2, 17.3,
                 pass phrase re-use, exposing e-mail addresses,
                                                                               17.4, 17.5
                 unapproved USB devices.
                 Web content filtering of incoming and outgoing traffic,
                                                                               12.1, 12.2,
     9           using signatures, reputation ratings, and other heuristics,
                                                                                  12.3
                 and white listing allowed types of web content.
                 Web domain white listing for all domains, since this
     10          approach is more proactive and thorough than black            12.1, 12.7
                 listing a tiny percentage of malicious domains.
     Automating Crosswalk between SP 800 and the 20 Critical Controls 47


      Web domain whitelisting for HTTPS/SSL domains, since
11    this approach is more proactive and thorough than black         12.1, 12.7
      listing a tiny percentage of malicious domains.
      Workstation inspection of Microsoft Office files for
12    abnormalities (e.g., using the Microsoft Office File             8.1, 8.6
      Validation feature).
      Application-based workstation firewall, configured to
13    deny traffic by default, to protect against malicious or       3.3, 8.1, 5.1
      otherwise unauthorized incoming network traffic.
      Application-based workstation firewall, configured to
                                                                     3.3, 8.1, 8.8,
14    deny traffic by default, that white lists which applications
                                                                          5.1
      are allowed to generate outgoing network traffic.
      Network segmentation and segregation into security
                                                                      10.8, 12.6,
      zones to protect sensitive information and critical
15                                                                    20.4, 11.1,
      services such as user authentication and user directory
                                                                         11.5
      information.
      Multi-factor authentication especially implemented for
      when the user is about to perform a privileged action, or
16                                                                   10.6, 19.11
      access a database or other sensitive information
      repository.
      Randomized local administrator pass phrases that are
17    unique and complex for all computers. Use domain group          19.1, 19.7
      privileges instead of local administrator accounts.
      Enforce a strong pass phrase policy covering complexity
                                                                      19.1, 19.8,
18    and length, and avoiding both pass phrase re-use and the
                                                                         13.7
      use of dictionary words.
      Border gateway using an IPv6-capable firewall to
      prevent computers from directly accessing the Internet          10.5, 12.7,
19
      except via a split DNS server, an e-mail server, or an             11.3
      authenticated web proxy.
      Data execution prevention using hardware and software
20    mechanisms for all software applications that support               3.3
      DEP.
      Anti-virus software with up-to-date signatures, reputation
      ratings, and other heuristic detection capabilities. Use       8.1, 8.2, 8.5,
21
      gateway and desktop anti-virus software from different              8.6
      vendors.
      Nonpersistent, virtualized trusted operating environment
                                                                          2.6
22    with limited access to network file shares, for risky
      activities such as reading e-mail and web browsing.
      Centralized and time-synchronized logging of allowed           7.1, 7.3, 7.5,
23    and blocked network activity, with regular log analysis,                7.6,
      storing logs for at least 18 months.                                7.7
      Centralized and time-synchronized logging of successful
                                                                     7.1, 7.4, 7.5,
24    and failed computer events, with regular log analysis,
                                                                          7.6
      storing logs for at least 18 months.
     Automating Crosswalk between SP 800 and the 20 Critical Controls 48


      Standard operating environment with unrequired
      operating system functionality disabled (e.g., IPv6,         3.1, 3.2, 3.3,
25
      autorun and Remote Desktop). Harden file and registry             8.3
      permissions.
      Workstation application security configuration hardening
26    (e.g., disable unrequired features in PDF viewers,           3.1, 3.2, 3.3
      Microsoft Office applications, and web browsers).
      Restrict access to NetBIOS services running on
27                                                                  20.3, 20.4
      workstations and on servers where possible.
      Server application security configuration hardening (e.g.,
      databases, web applications, customer relationship
28                                                                 3.1, 3.2, 3.3
      management, and other data storage
      systems).
      Removable and portable media control as part of a data
      loss prevention strategy, including storage, handling,       8.3, 8.4, 9.7,
29
      white listing allowed USB devices, encryption, and             9.8, 9.10
      destruction.
      TLS encryption between e-mail servers to help prevent
      legitimate e-mails from being intercepted and used for
30                                                                     20.4
      social engineering. Perform content scanning after email
      traffic is decrypted.
      Disable LanMan password support and cached
                                                                   3.1, 3.2, 3.3,
31    credentials on workstations and servers to make it harder
                                                                        19.5
      for adversaries to crack password hashes.
      Block attempts to access websites by their IP address
32                                                                  12.1, 12.7
      instead of by their domain name.
      Network-based intrusion detection/prevention system
      using signatures and heuristics to identify anomalous         12.2, 12.3
33
      traffic both internally and crossing network perimeter
      boundaries.
      Gateway black listing to block access to known
      malicious domains and IP addresses, including dynamic            12.1
34
      and other domains provided free to anonymous Internet
      users.
      Full network traffic capture to perform post-incident            12.4
35    analysis of successful intrusions, storing network traffic
      for at least the previous seven days.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:67
posted:4/10/2012
language:English
pages:48