Supporting Material STScI by liaoqinmei


									Technical Control Standards for
    Security Configuration
        Developed Via
 Public / Private Partnership

        Bert Miuccio, Vice President
       The Center for Internet Security
    Information Security Controls
             (NIST Pub 800-53)

 Management Controls
 Operational Controls
 Technical Controls
  Security Controls (NIST Pub 800-53)

 Management Controls
 - address the assessment and management of
 risk related to information systems
  Security Controls (NIST Pub 800-53)

 Operational Controls
  – address security risks and recommendations
    primarily related to the people who use
    information systems (as opposed to the
    systems themselves)
  – describe ―what‖ to do in broad terms, and
    some times describe ―when‖ and by ―whom‖
  Security Controls (NIST Pub 800-53)

 Technical Controls
  – define in detailed technical terms ―how‖ to
    implement the requirements of the higher level
    guidance within specific systems (operating
    systems, applications, devices / Microsoft, Sun,
    Cisco, Oracle, etc)
Current Information Security Guidance:
 • High level management controls-based guidance
    - OECD and GAISP
 • Mid-level operational controls-based guidance
    – ISO 17799
    – FISMA
    – CobIT (ISACA)
    – Standards of Good Practice (ISF)
 • Detailed technical controls guidance
    – CIS Consensus Benchmarks and Scoring Tools
    – NSA, DISA, NIST, and security service / software vendors
Most vulnerabilities being exploited by attackers
exist because of:

   • Software defects
      – Fixed with vendor patches

   • Inadequate technical security controls
      – Fixed by settings which enable or disable security
        features of the software or network device
 Examples of security requirements/policies
 activated via technical controls
• Password length, complexity
• Account lockout after X attempts
• Log what system events?
• Idle time before workstation logoff
• Who is allowed to install printer drivers?
• What unneeded services to disable?
We have met the enemy, and it is us!

“Through 2005, 90 percent of cyber attacks will
  continue to exploit known security flaws for which a
  patch is available or a preventive measure known.”

             » Gartner Group, May 6, 2002
Why are vendors shipping unsecured systems?
• ―Our customers don’t want security; they want features
  and performance. When they do want security, we’ll
  deliver it.‖
• ―Every customer wants something different. We can’t be
  expected to deliver and maintain thousands of different
           Recognizing the challenge

• Cosmos Club meeting Aug 2000
• Need to develop and proliferate detailed operational
  best practices
   – The only true solution is to raise the bar everywhere--
   – Private sector won’t trust gov’t to do it
   – Private sector companies don’t trust each other
     because of competitive self-interest
    The Center for Internet Security (CIS)

• Formed in October 2000
• A not-for-profit consortium of users
• Focused on the common needs of the global Internet
   – Knowledge transfer from haves to have-nots
• Convenes and facilitates consensus teams that
  develop detailed operational best practices
Some participants in the consensus effort:
 • National Institute of        •   NASA
   Standards and Technology     •   Australian Nat’l Audit Ofc
 • Infocomm Development         •   US Dept of Justice
   Authority of Singapore       •   Library of Congress
 • Naval Surface Warfare        •   Royal Canadian Mounted
   Center                           Police
 • US Treasury Financial        •   Communications Security
   Management Service               Establishment (Canada)
 • Washington State Dept. of    •   Canadian CERT
                                •   GSA
 • US Army Corps of Engineers
                                •   NSA
 • Defense Info Sys Agency
                                •   DHS
 • Federal Reserve System
                                •   FedCIRC
 • State of Maryland
Some Participants (cont’d):
• Dun and Bradstreet              • Swiss Reinsurance Company
• Electric Power Research Inst.   • University Health System
• SASKTel                                Consortium
• Fidelity National Financial     • Humana
• LG&E Energy                     • Nu Skin Enterprises
• Hospital Corp. of America       • Online Resources
• Duetsche Telekom T-Com          • Phelps Dodge Corporation
• Intel                           • STERIS Corporation
• Bank of Montreal                • Thomson Holdings
• Pfizer                          • Wachovia Corporation
• Caterpillar                     • Agilent Technologies
• Intuit                          • Shell Info. Tech. Int’l
• Anadarko Petroleum              • PeopleSoft
• Batelle                         • News Corporation
Some Participants (cont’d):
Universities:                         Consulting/Service:
• Institute for Security Technology   • IBM Consulting
  Studies at Dartmouth                • Configuresoft
• Virginia Tech                       • ISS
• Monash University (Australia)       • Symantec
• Duke University                     • BindView
• University of Missouri              • Sequation
• Blenkinge Inst. of Technology       • NetIQ
  (Sweden)                            • Solutionary
• Utah State University               • RDA Corporation
• University of California, SF        • Belarc
• New York University                 • GFM Consulting
• Illinois Institute of Technology
• College of William and Mary
Vendors are fully engaged as team members,
working alongside government and private
sector users
  • Microsoft
  • Sun
  • HP
  • Cisco
  • Oracle
  • AOL
The consensus process
• Teams are formed with security experts from member
• An initial benchmark draft is obtained or developed
• Consensus is established via email and conference call
• A scoring tool is developed
• They are made available free to all users globally via the
  CIS website
What has collaboration among the
  participants achieved so far?
Currently available:
• Level I Configuration Benchmarks
   – Solaris
   – Linux
   – HP-UX
   – Windows NT
   – Windows 2000
   – Windows XP
   – Cisco Router IOS
   – Oracle Database
A Level I Benchmark:

• Can be implemented by a sysadmin of any level of
  security expertise
• Can be monitored by a compliance tool
• Is not likely to ―break‖ any function

• Represents a baseline level of security
Currently available:

• Level II Benchmarks
   – Windows 2000 Professional
   – Windows 2000 Server
   – Windows XP
   – CISCO Router IOS Level
   – Oracle Database
Currently available:

• Configuration Scoring Tools
   – Available for each Benchmark
   – Scan only (don’t automatically change settings)
   – Host based (not network scanners)
   – Compare configuration of the scanned system with the
     corresponding benchmark, score it on a scale of 1-10
   – Configure a newly deployed system and monitor
     configuration of the computers on which they are installed
Under development:

   • Benchmarks and Scoring Tools for:
      –   Apache
      –   Windows IIS
      –   Catalyst Switches
      –   PIX Firewall
      –   Check Point FW-1
      –   Server 2003
      –   SQL Server
      –   Juniper Router
      –   and others
The impact…

Case studies show that 80-90% of known
vulnerabilities are blocked by the security settings in
the consensus benchmarks…….
Case Study Methodology
• (1) Scan a system ―out of the box‖ and list identified
• (2) Configure the system with the appropriate
• (3) Rescan the system and note the vulnerabilities
Vulnerability Assessment Case studies

                                                     % of Vuls

            Study      System       Benchmark        Eliminated

    Solutionary     W2K Server    Level I       85

    Citadel         W2K Pro       Level I       81

    NSA             W2K Pro       Level II      91

    Mitre           W2K Pro       Level II      83 (CVE)

    Citadel         W2K Server    Level II      99

    Citadel         RedHatLinux   Level I       100
IA Newsletter describing the NSA and Mitre

• Vol 5, Number 3, Fall 2002
 NSA Red/Blue Team Conference Oct 2003

• These teams are the security experts whose job is to
  discover weaknesses in DoD networks by attempting to
  penetrate them
  At that conference:

• During four days of trying, these security experts were
  unable to break into a Microsoft Windows network with
  up-to-date patches and configured with the consensus
  benchmark technical controls
Milestones in the consensus benchmark effort

• Jul 02 – W2K Level-2 benchmark announced by NSA,
  DISA, NIST, GSA, SANS, and private sector
• Oct 02 - U.S. government begins promulgating
  consensus benchmarks and tools via FedCIRC
• Nov 02 – NSA reports that consensus benchmarks
  eliminate over 90% of known vulnerabilities
• Dec 02 - VISA adopts benchmarks for its Cardholder
  Information Security Program Digital Dozen
Milestones in the consensus benchmark effort
 • Jul 03 – Dell begins delivering Windows 2000 systems
   pre-configured with consensus benchmark settings
 • Sep 03 - U.S. Dept of Energy announces procurement
   requiring Oracle to pre-configure its software with the
   consensus benchmark settings
 • Dec 03 – AOL requests a benchmark for its users
 • June 04 – Dell will begin shipping configured XP systems
 Factors driving adoption of the consensus
 benchmark practices

• Private sector desire for liability protection via evidence
  of due care
• Regulatory compliance
   – SOX, HIPAA, GLB, FISMA, etc
• Incorporation in procurement req’ts by government and
  commercial buyers
   – Consensus on technical controls developed jointly with
     users enables vendors to deliver systems that are more
     secure by default
How can you become involved?

• Download the Benchmarks and Scoring Tools.
• Use them to configure your new installations.
• Compare the configuration of your production systems.

            How do your systems measure up?

•   As necessary – improve your security configs.
•   Share your feedback – contribute to the consensus.
How else can you be involved?

• Become a CIS member –
  help develop and proliferate the consensus
  benchmarks as common practice — thus making the
  Internet safer for you and everyone else.

• Using the benchmarks and scoring tools available
  free at implements much of
  currently available high level guidance (SOX, HIPAA,
  GLB, FISMA, etc)
• Users and vendors are working together to improve
  security practice
• Detailed configuration practice offers substantial
  payoff for the effort expended
     Bert Miuccio
         Important Background Information
           ―The Benefits of Membership‖
• The benchmarks & tools are periodically updated to
   – reflect consensus input from security professionals
   – keep pace with updated versions of the subject software
   – include technical controls that help defend against emerging
      threats and vulnerabilities
• The Terms of Use prohibit redistribution of the benchmarks and
  software tools for the purpose of minimizing redistribution of
  outdated versions of the resources.
TOU on the CIS web site

• Grant of Limited rights.
   “CIS hereby grants each user the following rights, but only so
   long as the user complies with all of the terms of these Agreed
   Terms of Use:
    – Except to the extent that we may have received additional
      authorization pursuant to a written agreement with CIS, each
      user may download, install and use each of the Products on
      a single computer;”
        ―The Benefits of Membership‖

• #2. The right to distribute the benchmarks and tools
  within your organization. (User Members and
  Consulting Members only are entitled to this benefit)
Some problems with existing IS guidance
• Requirements at various levels of abstraction that are
    – Structurally disconnected/fragmented

• Some focus on principles; others on controls
• Not readily scalable for different types and sizes of organizations
• Developed and promoted by different professional communities
   vying for position
    – Different taxonomies and terminology

• Detailed technical controls have been largely ignored
Vendors Issue Patches –
Users Don’t Apply Them

                     Forrester Research
                     April 3, 2003

To top