0% found this document useful (0 votes)

241 views1,039 pages

Information Security Transformation Handouts

Uploaded by

Rimsha Ishtiaq

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

241 views1,039 pages

Information Security Transformation Handouts

Uploaded by

Rimsha Ishtiaq

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1039

What is Information Security ?

• Protecting information
and information
systems from
unauthorized access,
use, disclosure,
disruption, modification,
or destruction.

(SANS)

1
What is Information Security ?

• IT Security is
information security
applied to technology

• Information security
also covers physical
security, human
resource security, legal
& compliance,
organizational, and
process related aspects

2
What is Information Security ?
• IT Security functions:
– Network security
– Systems security
– Application &
database security
– Mobile security
• InfoSec functions:
– Governance
– Policies & procedures
– Risk management
– Performance reviews
3
What is Information Security ?

• What is Cyber Security ?

– Precautions taken to
guard against
unauthorized access
to data (in electronic
form) or information
systems connected
to the internet
– Prevention of crime
related to the
internet

4
What Is Information Security Awareness ?

• Ensure employees are

aware of :
– The importance of
protecting sensitive
information
– What they should do
to handle information
securely
– Risks of mishandling
information
REF: PCI Best Practices For Implementing Security Awareness
https://www.pcisecuritystandards.org/documents/

5
What Is Information Security Awareness ?

6
What Is Information Security Awareness ?

• NIST Special Publication

800-50 (Building An IT
Security Awareness &
Training Program)
– Awareness
– Training
– Education

7
What Is Information Security Awareness ?

• Awareness:
– Awareness is not
training
– Purpose of
awareness is simply
to focus attention on
security
– Change behavior or
reinforce good
security practices
REF: NIST SP800-50, PAGE 8

8
What Is Information Security Awareness ?

• Training:
– “Strives to produce
relevant and needed
security skills and
competencies”
– Seeks to teach skills
– E.g. IT Security course
for system
administrators
covering all security
aspects
REF: NIST SP800-50, PAGE 9
9
What Is Information Security Awareness ?

• Education:
– Integrates all of the
skills and
competencies into a
common body of
knowledge
– E.g. a degree
program

10
What Is Information Security Awareness ?

NIST-SP-800-50

IMPLEMENTATION STEPS

11
What Is Information Security Awareness ?

• Don’ts:
– Share your password
– Click on suspicious
email links
– Install unlicensed
software on your PC
• Do’s:
– Logout when getting
up from your system
– Report security
incidents
12
What is Information Security ?

• Three Pillars of
Information Security:
– Confidentiality:
keeping information
secret
– Integrity: keeping
information in its
original form
– Availability: keeping
information and
information systems
available for use
13
Why Is Information Security Needed ?

• Bangladesh Bank
SWIFT Hack – Feb
2016: Hackers used
SWIFT credentials of
Bangladesh Central
Bank employees to
send more than three
dozen fraudulent
money transfer
requests

REF: WIRED.COM
Why Is Information Security Needed ?

Contd…
• Requests sent to the
Federal Reserve Bank of
New York asking the bank
to transfer millions of the
Bangladesh Bank’s funds
to bank accounts in the
Philippines, Sri Lanka and
other parts of Asia.
• USD 81 million stolen
• Total impact could have
been USD 1 billion

REF: WIRED.COM
Why Is Information Security Needed ?

Recent Cyber Attack – May 2017

REF: TELEGRAPH
Why Is Information Security Needed ?

REF: GUARDIAN
Why Is Information Security Needed ?

• The Importance Of
Information
– IT is pervasive in our
society & critical to
the Ops & Mngmt of
all organizations
– IT is an enabler for
business and govt
– Personal information
is vital for individuals
to function in society
– Information holds
18
value
Why Is Information Security Needed ?

IMPORTANCE OF INFORMATION SECURITY • As per PWC Global

Economic Crime
Report 2016, Cyber
Crime was amongst the
top 3 most commonly
reported types of
economic crime

• As per Europol 2013

report, Cyber Crime is
now more profitable
than the drug trade
19
Who Is Information Security For ?

• Personal:
– Social media
passwords and safe
usage
– Online banking and
email account
passwords
– Home PC/laptop
security
– Mobile security

20
Who Is Information Security For ?
• Organizational:
– Board and executive
leadership
(management
commitment)
– CISO (responsible to
drive security
program)
– IT staff and business
users (following
information security
policies & procedures)
Who Is Information Security For ?
• Govt and national:
– Law enforcement
– Legal and policy
making
– National database
– Critical infrastructure
– Regulation
– Standards and
certification
– Capacity-building and
coordination

22
Who Is Information Security For ?

• Legal
• Technical
• Organizational
• Capacity building
• Cooperation

23
Who Is Information Security For ?

24
Who Is Information Security For ?

25
Who Is Information Security For ?

• Pakistan ranked almost

at the bottom of the
table in International
ranking by ITU
• Information security is
everyone’s
responsibility
• Pakistan Cyber Security
END Association (PCSA)
formed to address
Pakistan’s international
ranking
26
How Is Information Security Implemented ?

• Three pillars of
information security:
– People
– Process
– Technology

27
How Is Information Security Implemented ?

REF: LINKEDIN

28
How Is Information Security Implemented ?
• Leadership
commitment:
– “Tone at the top”
– Information security
policy and objectives
– Assigning
responsibility and
authority
– Resource allocation
– Performance reviews
– Ensuring
accountability
29
How Is Information Security Implemented ?
• Information Security
Manager or CISO:
– Heads department
responsible for
implementing
information security
program
– Directs planning,
implementation,
measurement,
review, and continual
improvement of
program
30
How Is Information Security Implemented ?
• IT user:
– Understand policies
– Conduct security/risk
assessment
– Design effective
security architecture
– Develop SOPs and
checklists
– Implement controls
– Report incidents
– Conduct effective
change management
31
How Is Information Security Implemented ?
• Business user:
– Security awareness
and training
– Follow information
security policy
– Develop and
implement secure
business processes
– Role-based access
control and periodic
reviews
– Reporting incidents
32
How Is Information Security Implemented ?
• Information security
program
– Assessing security
risks and gaps
– Implementing security
controls
– Monitoring,
measurement, &
analysis
END – Management reviews
and internal audit
– Accreditation/testing
33
Who Are The Players In Information Security ?

• Government
• Industry & sectors
• International
organizations
• Professional
associations
• Academia and research
organizations
• Vendors and suppliers

34
Who Are The Players In Information Security ?
• Government:
– Policy making
– Law enforcement
– Legal system
– National cyber
security strategy and
standards
– International
coordination
– Computer Incident
Response Team
(CIRT)
35
Who Are The Players In Information Security ?

• Industry & sectors:

– Financial institutions
– Telecoms
– Armed forces
– Federal and provincial
IT boards
– Enterprises
– Various other sectors
(manufacturing,
automotive, health,
insurance, etc)
36
Who Are The Players In Information Security ?

• International
organizations:
– APCERT
(www.apcert.org)
– European Union
Agency for Network
& Information
Security - ENISA
(www.enisa.org)

37
Who Are The Players In Information Security ?

• International
organizations:
– ITU IMPACT
(http://www.impact-
alliance.org)

https://www.itic.org/dotAsset/c/c/cc91d8
3a-e8a9-40ac-8d75-0f544ba41a71.pdf
Who Are The Players In Information Security ?
• Professional
associations:
– ISACA (isaca.org)
– ISC2 (www.isc2.org)
– OWASP
(www.owasp.org)
– Cloud Security
Alliance
– Pakistan Cyber
Security Association
(PCSA)
http://cybersecurityventures.com/cybersecurity-associations/

39
Who Are The Players In Information Security ?

• Academia & research

organizations:
– Universities and
research programs
– SANS
(www.sans.org)
– Center for Internet
Security
(www.cisecurity.org)
END
http://cybersecurityventures.com/cybersecurity
-associations/

40
Infosec Transformation Framework 4 Layers

1. Security hardening
2. Vulnerability
management
3. Security engineering
4. Security governance

41
Infosec Transformation Framework 4 Layers

4. Security
Governance

3. Security
Engineering

2.
Vulnerability
Management

1. Security
Hardening

42
Infosec Transformation Framework 4 Layers
• 1: Security hardening:
– Compile IT assets
– Establish minimum
security baseline
(MSB)
– Research security
controls and
benchmarks
– Pilot (test)
– Implement controls
– Monitor and update
controls
43
Infosec Transformation Framework 4 Layers

• 2: Vulnerability
management:
– Purchase internal tool
(NESSUS, Qualys, etc)
– Conduct vulnerability
assessment
– Prioritize and
remediate
– Report
– Repeat cycle on
quarterly/monthly
basis
44
Infosec Transformation Framework 4 Layers

• 3: Security engineering:
– Assess risk profile
– Research security
solutions
– Design security
architecture
– Implement security
controls & solutions
– Test and validate
security posture

45
Infosec Transformation Framework 4 Layers

• 4: Security governance:
– Policies and
procedures
– Risk management
– Core governance
activities (change
management,
incident
management,
END
internal audit)
– Training & awareness
– Performance reviews
46
What Is Information Security Hardening ?
• IT assets (network,
systems, application,
databases, mobile,
physical security) come
with default settings
which are not suitable
for security
• Security hardening is
the process of
configuring IT assets to
maximize security of the
IT asset and minimize
security risks
47
What Is Information Security Hardening ?

• Security in the
“trenches:”
– Security at the most
fundamental
operational layer
– Security where it
matters most
– Usually (but not
always) involves
junior staff who need
extra guidance,
training, and scrutiny
48
What Is Information Security Hardening ?

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

49
What Is Information Security Hardening ?

• Why is security
hardening at the first
step in the security
transformation model ?
– Most basic security
settings
– If not adequately
addressed here, rest
of the security
measures hardly
matter

50
What Is Information Security Hardening ?
• Short example of Cisco
router security
hardening:
– Remote access
through SSH and not
through telnet
– Turn of all unused
services
– Session timeout and
password retry
lockout
http://www.cisco.com/c/en/us/suppor
t/docs/ip/access-lists/13608-21.html
51
What Is Information Security Governance ?

• Information security
governance in simpler
terms just means
effective management
of the security program
• Responsibility for
governance is
associated with the
Board and senior
management

52
What Is Information Security Governance ?

• IT Governance Institute
Definition:
– "Security governance
is the set of
responsibilities and
practices exercised
by the board and
executive
management, with
the goal of providing
strategic direction,…

53
What Is Information Security Governance ?

• IT Governance Institute
Definition (contd.):
– “…ensuring that
objectives are
achieved,
ascertaining that risks
are managed
appropriately and
verifying that the
enterprise's
resources are used
responsibly."
54
What Is Information Security Governance ?

• ISO27001:2013 – ISMS
(Information Security
Management System) is
the world’s leading and
most widely adopted
security governance
standard

55
What Is Information Security Governance ?
• ISO27001 "provides a
model for establishing,
implementing,
operating, monitoring,
reviewing, maintaining
and improving an
information security
management system.”

56
What Is Information Security Governance ?
• Ten short clauses and a
long Annex with 114
controls in 14 groups
• 27000+ certifications
globally in 2015

57
Difference Between Policy, SOP, & Guideline

• Policy:
– Formal and high level
requirement for
securing the
organization and its
IT assets (mandatory)

58
Difference Between Policy, SOP, & Guideline

https://www.linkedin.com/pulse/20140611162901-223517409-difference-
between-guideline-procedure-standard-and-policy

59
Difference Between Policy, SOP, & Guideline

• Policy:
– Scope is across
organization so
should be brief and
focusing on desired
results
– Signed off by senior
management

60
Difference Between Policy, SOP, & Guideline
• Procedure / SOP:
– More detailed
description of the
process; who does
what, when, and how
– Scope is
predominantly at a
department level
having specified
audience
– May be signed off by
departmental head
https://www.slu.edu/its/policies
Difference Between Policy, SOP, & Guideline

• Guideline:
– General
recommendation or
statement of best
practice
– Not mandatory
– Further elaborates
the related SOP

https://www.slu.edu/its/policies

62
Difference Between Policy, SOP, & Guideline

• Standard:
– Specific and
mandatory action or
rule
– Must include one or
more specifications
for an IT asset or
behavior
– Yardstick to help
achieve the policy
goals
https://www.slu.edu/its/policies
63
Difference Between Policy, SOP, & Guideline

• In practice:
– Policy recommended
to be a single
document applicable
at the organizational
level (wide audience)
– Sub-policies may be
defined at a
departmental level
– Policies and standards
are mandatory
(exception approval)
64
Difference Between Policy, SOP, & Guideline
• Examples:
– Information security
policy
– System administrator
password sub-policy
– User ID & Access
Management SOP
– Vulnerability
Management
standard
– Social engineering
prevention guideline
65
What Is An Information Security Program ?

• Project definition:
– A project has a
defined start and end
point and specific
objectives that, when
attained, signify
completion

pmtips.net/blog-new/difference-projects-
programmes

66
What Is An Information Security Program ?

• Program definition:
– A program is defined
as a group of
related projects
managed in a
coordinated way to
obtain benefits not
available from
managing
the projects
individually
pmtips.net/blog-new/difference-projects-
programmes
67
What Is An Information Security Program ?

• Security program:
– Sum-total of all
activities planned and
executed by the
organization to meet
its security objectives

pmtips.net/blog-new/difference-projects-
programmes

68
What Is An Information Security Program ?

https://www.gartner.com/doc/2708617/information-security-program-management-key
69
What Is An Information Security Program ?

8. Communications 9. Incident
1. Policy
security management
ISO27001:2013 (ISMS) REQUIREMENTS

2. Management
7. Operations 10. Business
commitment &
security continuity
performance review
AND CONTROLS

6. Physical &
3. Risk management 11. Compliance
environmental

4. Asset 12. Third-party

5. Access control
management reviews

70
What Is An Information Security Program ?

4 Layer Security
Transformation Model
4. Security
Governance

3. Security
Engineering

2. Vulnerability
Management

1. Security
Hardening

71
What Is An Information Security Program ?

• 4-layer security
transformation model
may be implemented as
an ideal security
program
• After establishing a
basic policy, the
sequence of the
program (steps 1
through 4) is paramount
in order to achieve
constructive results
72
Role of People, Process, and Tech In InfoSec
• People, process, and
technology are together
referred to as the
Information Security
Triad
• All three aspects help to
form a holistic view of
Information Security
• All three are important
and cannot be
overlooked in an
Information Security
program or activity
73
Role of People, Process, and Tech In InfoSec
• People:
– People must be
trained to effectively
& correctly follow
policies, information
security processes,
and implement
technology
– Social engineering
and phishing are
aspects that people
must be trained to
handle appropriately
74
Role of People, Process, and Tech In InfoSec
• Processes are
fundamental to effective
information security
– User access
management
– Backups
– Incident management
– Change management
– Vulnerability
management
– Risk management

75
Role of People, Process, and Tech In InfoSec

• Technology plays a
central role in the
Information Security
program:
– Firewalls
– Antivirus
– Email anti-spam
filtering solution
– Web filtering solution
– Data loss prevention
(DLP) solution
76
Role of People, Process, and Tech In InfoSec

https://www.rsaconference.com/writable/presentations/file_upload/tech-203.pdf
77
Role Of An Information Security Manager

• The Information Security

Manager (Head Of
Information Security or
CISO) is delegated and
authorized by senior
management to run the
Information Security
program and meet its
objectives

78
Role Of An Information Security Manager
• The Information Security
Manager develops a
policy to regulate the
Information Security
program which is signed
off by senior
management
• Assigned resources and
authority to plan, assess,
implement, monitor, test,
and accredit the
Information Security
activities
79
Role Of An Information Security Manager

http://www.shortinfosec.net/2009/11/role-of-information-security-manager.html
80
Role Of An Information Security Manager

• InfoSec Manager Tasks:

– Develop policy
– Training & awareness
– Design security
architecture
– Design security
controls
– Ensure controls are
implemented
– Conduct risk
assessment
81
Role Of An Information Security Manager

• InfoSec Manager Tasks

(Contd):
– Conduct security
testing
– Monitor vulnerability
management
program
– Facilitate incident
management process
– Sign-off critical
change management
activities
82
Leading Security Standards & Frameworks

• A standard or
framework is a blueprint
or roadmap for
achieving Information
Security objectives
• Examples are
ISO27001:2013 (ISMS),
PCI DSS, & COBIT

83
Leading Security Standards & Frameworks

• ISO27001:2013 (ISMS)
– Specifies the
requirements for
establishing,
implementing,
maintaining and
continually improving
an information
security management
system
– Ten short clauses
– Long annex
84
Leading Security Standards & Frameworks

ISO27001:2013 MANDATORY CLAUSES

https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security%20Management%20System%20%28ISMS%29%20Overview.pdf

85
Leading Security Standards & Frameworks

ISO27001:2013 DISCRETIONARY CONTROLS

TOTAL: 113
https://chapters.theiia.org/bermuda/Events/ChapterDocuments/Information%20Security%20Management%20System%20%28ISMS%29%20Overview.pdf

86
Leading Security Standards & Frameworks

• PCI Data Security

Standard (DSS):
– Designed to ensure
that ALL companies
that accept, process,
store or transmit
credit card
information maintain
a secure environment
– Managed by Security
Standards Council
https://www.pcicomplianceguide.org/pci-faqs-2/
87
Leading Security Standards & Frameworks

• PCI DSS:
– SSC is an
independent body
that was created by
the major payment
card brands (Visa,
MasterCard,
American Express,
Discover and JCB
– 6 Broad goals and 12
requirements
REF: PCI Best Practices For Implementing Security Awareness
https://www.pcisecuritystandards.org/documents/

88
Leading Security Standards & Frameworks

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

89
Leading Security Standards & Frameworks

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

90
Leading Security Standards & Frameworks

• COBIT:
– ISACA framework for
IT Governance
– COBIT 5 helps
enterprises to create
optimal value from IT
by maintaining a
balance between
realising benefits and
optimising risk levels
and resource use
(ISACA)
91
Leading Security Standards & Frameworks

• COBIT 5 brings together

five principles that allow
the enterprise to build
an effective governance
and management
framework (ISACA)
• Based on a holistic set of
seven enablers that
optimises IT investment
and use for the benefit
of stakeholders (ISACA)

92
Leading Security Standards & Frameworks

93
Leading Security Standards & Frameworks

94
Leading Security Standards & Frameworks

• A standard or
framework is a blueprint
or roadmap for
achieving Information
Security objectives
• Examples are
ISO27001:2013 (ISMS),
PCI DSS, & COBIT

95
What Is Information Security Risk ?

• Risk is a fundamental
concept that drives all
security standards,
frameworks, and
activities
• In simple terms,
Information Security
Risk refers to the
potential damage or loss
that may be caused to
an organization in the
absence of appropriate
controls 96
What Is Information Security Risk ?

• A process aimed at
achieving an optimal
balance between
realizing opportunities
for gain and minimizing
vulnerabilities and loss
• Usually accomplished by
ensuring that impact of
threats exploiting
vulnerabilities is within
acceptable limits at an
acceptable cost
REF: ISACA CISM MANUAL
97
What Is Information Security Risk ?

• Risk is managed so that:

– It does not materially
impact the business
process in an adverse
way
– Acceptable level of
assurance and
predictability to the
desired outcomes of
any organizational
activity
REF: ISACA CISM MANUAL
98
What Is Information Security Risk ?

REF: ISACA CISM MANUAL

99
What Is Information Security Risk ?

• Risk Assessment:
– Foundation for
effective risk
management
– Solid understanding
of the risk universe
– Nature and extent of
risk to IT resources
and potential impact
on organizations
activities
REF: ISACA CISM MANUAL
100
What Is Information Security Risk ?

REF: ISACA CISM MANUAL

101
What Is Information Security Risk ?

• Challenges with risk

focused approach:
– In an environment
where controls are
absent, a risk based
approach may
become too
academic
– Effort should focus
on 4-Step Security
Transformation
Framework
102
Information Security Lifecycle

• An Information Security
lifecycle represents the
recommended sequence
to adequately address
security during any
project or activity
• It is a process to ensure
that all security projects
and activities
consistently follow the
same sequence and
steps
103
Information Security Lifecycle

1.
Requirements

7. Monitor & 2. Assess

Audit Current Posture

3. Remediation
6. Accredit
Plan

4. Implement
5. Test/Validate
Controls

104
Information Security Lifecycle

• Step 1: Requirements
– Established by policy,
or security program
– Could also be driven
by security
transformation
program
– Establish security
exposure, determine
risk and priority

105
Information Security Lifecycle

• Step 2: Assess Current

Security Posture
– Conduct gap analysis
– Could also be a risk
assessment and
evaluation

106
Information Security Lifecycle

• Step 3: Remediation
Plan
– Methodology &
framework
– Controls
– Resources
– Approvals and
communication
– Timeline
– Project monitoring
and review
– Develop SOP 107
Information Security Lifecycle

• Step 4: Implement
Controls
– Pilot
– Test/validate in pilot
– Change management
– Implement in
production/live
environment
– Roll-back if
unexpected response
– Maintain SOP
108
Information Security Lifecycle

• Step 5: Test/Validate
– Security team or
independent review
of correctness and
coverage of security
control
implementation
– Ensure SOP/checklist
developed and
followed

109
Information Security Lifecycle

• Step 6: Security
Accreditation
– Review process has
been followed
(change
management, SOP,
sign-offs)
– Establish monitoring
mechanism
– Awareness training
– Issue formal
accreditation
110
Information Security Lifecycle

• Step 7: Monitor & Audit

– Monitoring
mechanism (KPIs,
reporting, review)
– Incident
management
– Internal audit

111
Management Commitment

• What is management
commitment ?
– Management
commitment is the
expression of the
intent, relevant
actions, and
allocation of
sufficient resources
to ensure the InfoSec
program is properly
implemented
112
Management Commitment

• ISO2700:2013 (ISMS)
Clause 5.1:
a) Policy and objectives
are established
(compatible with
strategic direction)
b) Integration of ISMS
reqmts into processes
c) Resources
d) Communicating
importance
Management Commitment

• ISO2700:2013 (ISMS)
Clause 5.1:
e) Intended outcomes are
achieved
f) Directing and
supporting persons
g) Promoting continual
improvement
h) Supporting other
management roles

114
Management Commitment

• “Tone at the top”

– Management closely
watches the actions
of executive
leadership (culture)
– The importance given
to InfoSec by the
executive leadership
becomes the
minimum threshold
for rest of the
organization
115
Management Commitment

• In practice:
– Security policy
– Security responsibility
delegated to head
(CISO) or dept
– Security steering
committee (board
level)
– Quarterly or frequent
management reviews
of information
security program
116
Information Security Responsibility

• Default organizational
perception:
– Security is
responsibility of one
person or one
department
– Can get away with
“security as an after-
thought”
– Reactive

117
Information Security Responsibility

• Security is everyone’s
responsibility:
– Management
commitment & tone
at the top
– Security awareness
campaigns/program
– A strong and
effective security
program
– Allocation of
sufficient resources
118
Information Security Responsibility

• Security involvement &

accountability:
– Effective security
implementation
should be built into
the performance KPIs
of key team members
(management,
technical, business)
– Annual appraisals,
security awards and
recognition
119
Information Security Responsibility
INFOSEC PROJECT
REPORTING STRUCTURE Board
[QTR]

InfoSec Steering Comm.

[MONTHLY]

Information Security
Management Committee (ISMC)
[WEEKLY]

IT / InfoSec Teams [DAILY]

120
Information Security Responsibility

• Security is everyone’s
responsibility and has to
gradually take its place
in org culture

121
Cyber Security Breaches
• Fox News Video:
“World’s Biggest Cyber
Attacks”
– http://video.foxnews.c
om/v/5435057924001/?
#sp=show-clips
• World’s Biggest Data
Breaches:
– http://www.informatio
nisbeautiful.net/visuali
zations/worlds-
biggest-data-breaches-
hacks/
122
Cyber Security Breaches

• Leading Global Reports:

– Verizon 2017 Data
Breach Investigations
Report (DBIR)
– Symantec 2017
Internet Security
Threat Report (ISTR)

123
Cyber Security Breaches

124
Cyber Security Breaches

125
Cyber Security Breaches
Cyber Security Breaches

127
Cyber Security Breaches

128
Cyber Security Breaches

129
Cyber Security Breaches

130
Cyber Security Breaches

131
Cyber Security Breaches

• Leading Global Reports:

– Verizon 2017 Data
Breach Investigations
Report (DBIR)
– Symantec 2017
Internet Security
Threat Report (ISTR)

132
Challenges Of InfoSec Implementation

• Challenges Of IT:
– Complex and difficult
to manage
– Under pressure from
business groups
– Lack of sufficient
competent resources
– Lack of process
culture
– IT not aligned to
perform diligent
security work
133
Challenges Of InfoSec Implementation

InfoSec

Audit
IT Compliance

Risk

134
Challenges Of InfoSec Implementation

• Challenges Of InfoSec:
– Silos & lack of
coherent ownership
– Lot of time & energy
wasted in traversing
dept boundaries
– Enabling
environment for
tough security work
missing
– Security hardening
glaringly absent
135
Challenges Of InfoSec Implementation

• Pakistan Industry
Security Characteristics:
– Wavering
management
commitment
– Superficial “dressing”
security
– Reactive to regulator
audit/compliance
mandate
– Industry in denial

136
Challenges Of InfoSec Implementation

InfoSec
Transformation Model 4. Security
Governance

3. Security
Engineering

2. Vulnerability
Management

1. Security
Hardening

137
Challenges Of InfoSec Implementation

• Challenges Of InfoSec

138
Role Of A Regulator

• Cyber attack can have

devastating
consequences causing
financial loss and
disruption of critical
infrastructure
• Cyber security has
become a key risk factor
putting under threat not
only consumer rights
protection, but also
viability and health of
the industry itself 139
Role Of A Regulator

• A cybersecurity
regulation comprises
directives that
safeguard information
technology and comput
er systems with the
purpose of forcing
companies and
organizations to protect
their systems and
information from cyber-
attacks (Wikipedia)
140
Role Of A Regulator

• Industry regulators
including banking
regulators have taken
notice of the risk from
cybersecurity and have
either begun or are
planning to begin to
include cybersecurity as
an aspect of regulatory
examinations
(Wikipedia)

141
Role Of A Regulator

• Role Of Regulator In
Cyber Security:
– Regulations,
guidelines, and audit
– Engagement of key
stakeholders
– Technical and
industry expertise
– Regional and
international
cooperation

142
Role Of A Regulator

• Regionally, the most

well developed cyber
security strategy and
framework developed
by Singapore (ITU rank #
1), Malaysia (ITU rank #
3), and Oman (ITU rank
# 4)

143
Role Of A Regulator

• Singapore:
– Cyber Security
Agency (2015);
strategy, education,
outreach, eco-system
development
– National Cyber
Security Master Plan
2018 (created 2013)
– Cyber Security
Strategy (created
2016)
144
Role Of A Regulator

• Pakistan; Ministry of IT
(MOIT):
– National IT Policy
2016 (draft)
– Digital Pakistan
Policy 2017

145
Role Of A Regulator

• Pakistan; State Bank Of

Pakistan (SBP):
– Enterprise
Technology
Governance & Risk
Management
Framework for
Financial Institutions
(30 May 2017)

146
Role Of A Regulator

• Pakistan lacks:
– National cyber
security strategy
– National cyber
security master plan
– National cyber
security agency
– National certification
& accreditation body
– National Computer
Emergency Response
Team (CERT)
147
Status Of InfoSec in Pakistan

• Pakistan Electronic
Crimes Act (PECA)
enacted as late as 2016
• Cyber security strategy,
eco-system still missing
• Research program,
capacity building,
standardization, &
certification bodies
absent
• Condition of InfoSec in
industry largely dismal
148
Status Of InfoSec in Pakistan

Global Cyber Security Index 2017 (ITU):

Pakistan ranked 67th with a score of 0.44/1

Bangladesh ranked 53rd with a score of 0.524/1
India ranked 23rd with a score of 0.683/1
https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf
149
Status Of InfoSec in Pakistan

• Pakistan cyber security

posture (industry):
– Superficial security
– Reactive
– Emphasis on
governance
– Security hardening of
IT assets largely
absent
– Industry has been in
denial for last decade
150
Status Of InfoSec in Pakistan

• Reasons for poor

security posture:
– Archaic digitalization
and commerce
– Perception that
Pakistan is immune
– Lack of awareness
and management
commitment
– Lack of effective
regulations

151
Status Of InfoSec in Pakistan

• Changing dynamics (PK):

– Pakistan financial
industry rocked by
Bangladesh SWIFT
hack 2016
– Wannacry (May 2017)
badly hit several
dozen organizations
in Pakistan
– Increasing e-
commerce, electronic
banking
152
Status Of InfoSec in Pakistan

• Pakistan needs:
– Necessary measures
by the Government in
line with what
Malaysia, Oman have
done for cyber
security
– Development of the
security eco-system
as an enabler in order
to drive strong
security posture
153
Status Of InfoSec in Pakistan

Global Cyber Security Index 2017 (ITU):

Pakistan ranked 67th with a score of 0.44/1

• Pakistan cyber security

posture (industry):
– Superficial security
– Reactive
– Emphasis on
governance
– Security hardening of
IT assets largely
absent
– Industry has been in
denial for last decade
156
Status Of InfoSec in Pakistan

• Reasons for poor

security posture:
– Archaic digitalization
and commerce
– Perception that
Pakistan is immune
– Lack of awareness
and management
commitment
– Lack of effective
regulations

157
Status Of InfoSec in Pakistan

• Changing dynamics (PK):

• Chapter 2:
– Typical Enterprise IT
Architecture &
Security Overlay

160
Typical Enterprise IT Network

• What does a typical

enterprise IT network
look like ?

161
Typical Enterprise IT Network

162
Typical Enterprise IT Network

• Edge router
• NGN FW
• DMZ:
– Web security
GW/Proxy
– Application security
FW
– Web server
– Email antispam GW
• IPS & N-DLP
• Distribution switch
163
Typical Enterprise IT Network

• Data center switch & FW

• Access switch
• NAC
• SOC:
– SIEM
– VM
– Other SOC tools
• System AV
• Server HIPS
• UTM
• Mobile device - MDM
164
Major Components: Enterprise IT Network

• Edge router
– WAN interfaces
– Edge filtering (access
lists)
– DDOS protection
• NGN FW
– Capable of APT attack
prevention, malware
filtering, web
security, email
security, application
bandwidth filtering
165
Major Components: Enterprise IT Network

166
Major Components: Enterprise IT Network

• DMZ:
– Security zone with
placement of
published web server,
web & email security
GWs, app security GW
• IPS:
– Intrusion prevention
(signature based)
– May be feature in
NGN-FW

167
Major Components: Enterprise IT Network

• Distribution switch
– Connectivity to
access switches,
external exit point
(WAN), and DC
switch
• Data center switch & FW
– Data center filtering
(malware & access-
lists)

168
Major Components: Enterprise IT Network

• Access switch
– User connectivity
– Switchport security &
access switch security
• NAC
– Network admission
control (IEEE802.1X)
• SIEM
– Logging & dashboard
for events, root cause
analysis, event
correlation 169
Major Components: Enterprise IT Network

• Vulnerability Manager
– Vulnerability scanning
and asset tracking
• System AV
– Signature based
malware prevention
• Server HIPS
– IPS features for
servers, also file
integrity checking

170
Major Components: Enterprise IT Network

• UTM
– Multi-featured NGN
FW device
• Mobile device – MDM
– Security features for
mobile devices

171
OSI Security Architecture

• ITU-T X.800, Security

Architecture For OSI
(‘91)
• Defines a technique for
defining security
requirements, and
characterizes the
approaches to satisfy
those requirements
• Defines security attack,
mechanism, and service
http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/CO
MP522-SecurityArchitecture_07.pdf
172
OSI Security Architecture

• Security attack: action

that compromises the
security of information
owned by an
organization (or person)
– Passive: aims to learn
or make use of
system information
only
– Active: attempts to
alter system
resources/operation
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/COMP522-
SecurityArchitecture_07.pdf
173
OSI Security Architecture

• Security service is a
service that ensures
adequate security of the
system or data transfer
– Authentication
– Access control
– Data confidentiality
– Data integrity
– Non-repudiation
– Availability
https://cgi.csc.liv.ac.uk/~alexei/COMP522_10/COMP52
2-SecurityArchitecture_07.pdf
174
OSI Security Architecture

http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf
175
OSI Security Architecture

• Security mechanism:
– Feature designed to
detect, prevent, or
recover from a
security attack
– Cryptography
underlies many of the
mechanisms
http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf

176
OSI Security Architecture

http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf

177
OSI Security Architecture

http://www.cse.wustl.edu/~jain/cse571-11/ftp/l_01ov.pdf
178
OSI Security Architecture

• ITU-T X.800, Security

Architecture For OSI is
dated from 1991

179
New IT Frontiers: Cloud, Mobile, Social, IOT

• IT dynamics are
changing the way we
communicate, work, and
live
• These disruptive new IT
frontiers have significant
security consequences

180
New IT Frontiers: Cloud, Mobile, Social, IOT

Cloud

Changing
IOT Face Of Mobile
IT

Social

181
New IT Frontiers: Cloud, Mobile, Social, IOT

https://www.mcafee.com/us/re
sources/reports/rp-threats-
predictions-2016.pdf
182
New IT Frontiers: Cloud, Mobile, Social, IOT

https://www.mcafee.com/us/resources/
reports/rp-threats-predictions-2016.pdf

183
New IT Frontiers: Cloud, Mobile, Social, IOT

https://www.mcafee.com/us/resources/
reports/rp-threats-predictions-2016.pdf

184
New IT Frontiers: Cloud, Mobile, Social, IOT

https://www.mcafee.com/us/resources/
reports/rp-threats-predictions-2016.pdf

185
New IT Frontiers: Cloud, Mobile, Social, IOT

• For cloud, mobile, and

IOT security guidance,
checklists, and other
details visit:
– www.cloudsecurityallianc
e.org
– www.owasp.org

186
New IT Frontiers: Cloud, Mobile, Social, IOT

• Useful URLs:
– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
– https://www.owasp.org/index.php/OWASP_Internet_of_Things_Proje
ct
– https://downloads.cloudsecurityalliance.org/assets/research/security-
guidance/csaguide.v3.0.pdf
– https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile
_Guidance_v1.pdf
– https://downloads.cloudsecurityalliance.org/assets/research/mobile/
MAST_White_Paper.pdf
– https://downloads.cloudsecurityalliance.org/whitepapers/Security_Gu
idance_for_Early_Adopters_of_the_Internet_of_Things.pdf
– https://downloads.cloudsecurityalliance.org/assets/research/internet-
of-things/connected-vehicle-security.pdf

187
Virtualization Environment Security

• Cloud Security Alliance:

“Best Practices For
Mitigating Risks In
Virtual Environments”
(PDF)
• Virtualization security
classified into three
areas:
– Architectural
– Hypervisor software
– Configuration

188
Virtualization Environment Security

1. VM Sprawl
2. Sensitive data within
VM
3. Security of offline and
dormant VMs
4. Security of Pre-
configured (Golden
Image) VMs
5. Lack of visibility into
virtual networks

189
Virtualization Environment Security

• Risk # 1 (VM Sprawl)

– Impact: VMs can be
created quickly, self-
provisioned, or
moved between
physical servers,
avoiding
conventional change
management process
– Proliferation of VMs
causing performance
and security risks
190
Virtualization Environment Security

• Risk # 1 (VM Sprawl)

– Controls: Policies,
procedures and
governance of VM
lifecycle management
– Control creation,
storage and use of
VM images with a
formal change
management process
– Discover VMs & apply
security controls
191
Virtualization Environment Security

• Risk # 1 (VM Sprawl)

– Controls: keep a small
number of identified,
good and patched
images of a guest
operating system
separately for fast
recovery &
restoration of
systems

192
Virtualization Environment Security

• Risk # 2 (Sensitive Data

Within a VM)
– Impact: VM images
and snapshots can be
copied easily via USB
or console of
hypervisor installed
elsewhere

193
Virtualization Environment Security

• Risk # 2 (Sensitive Data

Within a VM)
– Controls: Encrypt
data stored on virtual
and cloud servers
– Policies to restrict
storage of VM images
and snapshots
– Image change
management process
with approvals
– Logging & monitoring
194
Case Study – Enterprise Network (Small Org)

• Organizational
characteristics:
– Location: Karachi
– 70 total staff
– 10 IT staff
– 8 servers
– 1 main DC, no DR site
– IT service oriented
business delivered to
banks, telcos,
enterprises
195
Case Study – Enterprise Network (Small Org)

• Organizational culture:
– Small IT oriented
profitable business
– Mostly chaotic
culture with no
defined or
documented
processes
– Organization lacks
discipline (execution)
– Quality of resources:
average
196
Case Study – Enterprise Network (Small Org)

• IT setup:
– Windows 2010/2012,
Linux server OS
– ASP.net 4.x, PHP
applications (total 10)
– Windows 8/10
desktops (50+)
– 1 Cisco ASA FW in DC
– No DR site or offsite
backup
– Free AV, no AD, no
licenses 197
Case Study – Enterprise Network (Small Org)

• Security posture:
– Completely absent
– No hardening done
– No vulnerability
management
– No security
management or
governance
– No policy or staff
dedicated for
– No management
commitment (prior) 198
Case Study – Enterprise Network (Small Org)

• Security requirement:
– Customers are banks
and telcos
– Desired
ISO27001:2013 (ISMS)
certification for
customer RFPs

199
Case Study – Enterprise Network (Small Org)

• Driving change ?
– Executive
management facing
security questions
from top clients
– COO approaches
security consulting
company for pen-
testing
– Consultant advises
project for security
transformation
200
Case Study – Enterprise Network (Small Org)

• Security transformation
project:
– Project initiation: 2
Mths
– Layer 1: security
hardening of IT assets
(6 Mths)
– Layer 2: VM (1 Mth)
– Layer 3: security
engineering (1 Mth)
– Layer 4: Governance
& ISO cert.(3 Mths)
201
Case Study – Enterprise Network (Small Org)

• Conclusion:
– Absence of a process
oriented, organized
culture makes it
difficult for security
implementation
– Adhoc culture is
difficult to transform
– Executive
management support
and commitment was
the success factor
202
Case Study – Enterprise (Medium Org)

• Organizational
characteristics:
– Location: Lahore
– 350 total staff
(group)
– 15+ IT staff
– 25 servers
– 1 main DC, 1 DR site, 1
backup site
– IT service business in
media industry
203
Case Study – Enterprise (Medium Org)

• Organizational culture:
– Medium sized,
profitable IT business
– Good internal culture
(several employees
with org since 10 yrs)
– Organization lacks
processes
– Teams have
execution discipline
– Senior resources are
experienced
204
Case Study – Enterprise (Medium Org)

• IT setup:
– Windows 2010/2012,
Linux server OS
– Oracle & MS-SQL
databases
– ASP.net 4.x
applications (total 15)
– Windows 8/10
desktops (300+)
– 1 Cisco ASA FW in DC;
MicroTik routers as
edge routers
205
Case Study – Enterprise (Medium Org)

• IT setup (contd):
– Asterisk voice server
for call center (10
seats, 6-8 lines)
– 1 DR site (offshore)
and 1 backup site (PK)
– Panda AV, AD,
unlicensed windows
– Mdaemon for email
server, migrating to
MS Exchange

206
Case Study – Enterprise (Medium Org)

• Security posture:
– Completely absent
– No hardening done
– No vulnerability
management
– No security
management or
governance
– No policy or staff
dedicated for security
– No management
commitment (prior) 207
Case Study – Enterprise (Medium Org)

• Security requirement:
– Security incident;
competitive data
leakage to third-party
by internal employee
– License renewal due
by regulator;
demonstration of
security commitment
imperative

208
Case Study – Enterprise (Medium Org)

• Driving change ?
– Executive
management
concerned about
information security
& security culture
– CEO approaches
security consulting
company
– Consultant advises
project for security
transformation
209
Case Study – Enterprise (Medium Org)

• Security transformation
project:
– Project initiation: 15
days
– Layer 1: security
hardening of IT assets
(3 Mths)
– Layer 2: VM (1 Mth)
– Layer 3: security
engineering (4 Mths)
– Layer 4: Governance
& ISO cert.(3 Mths)
210
Case Study – Enterprise (Medium Org)

• Conclusion:
– Senior resources in
the organization
were committed
– Demonstration of
security commitment
was essential for
organizations survival
– ISO27001:2013 (ISMS)
serves as credible
credential for
customers/regulator
211
Case Study – Enterprise (Large Org)

• Organizational
characteristics:
– Location: Karachi
– 10,000+ total staff
– 150 IT staff
– 200 servers
– 1 main DC, 1 DR site
– Energy & distribution
sector

212
Case Study – Enterprise (Large Org)

• Organizational culture:
– Large sized privatized
org
– Strong internal
culture
– Organization lacks
process culture
– Teams have high
execution discipline
– Good quality &
qualification of IT
resources
213
Case Study – Enterprise (Large Org)

• IT setup:
– Windows 2010/2012,
Linux, AIX OS
– Oracle & MS-SQL
databases
– Over 100 internal
applications
(Sharepoint, GIS,
ASP.net)
– Windows 7/8/10
desktops (5500+)

214
Case Study – Enterprise (Large Org)

• IT setup (contd):
– Asterisk voice server
for voice
communication
– 1 DR site (hosted)
– Licensed AV, AD, &
windows
– Complete SAP ERP
suite & internal
development

215
Case Study – Enterprise (Large Org)

• Security posture:
– Superficial
– No hardening done
– Weak vulnerability
management
– Poor security
management/
governance
– Security team exists
– No management
commitment (prior)
216
Case Study – Enterprise (Large Org)

• Security requirement:
– Security incident;
servers hacked
causing financial loss

217
Case Study – Enterprise (Large Org)

• Driving change ?
– Executive
management
concerned about
information security
& security culture
– Board drives IT to hire
consultant
– Consultant convinces
IT to go for security
transformation

218
Case Study – Enterprise (Large Org)

• Security transformation
project:
– Project initiation: 15
days
– Layer 1: security
hardening of IT assets
(6 Mths)
– Layer 2: VM (1 Mth)
– Layer 3: security
engineering (1 Mths)
– Layer 4: Governance
& ISO cert.(5 Mths)
219
Case Study – Enterprise (Large Org)

• Conclusion:
– Strong commitment
of the Board & IT
Director drove the
implementation of
the security
transformation
project
– ISO27001:2013 (ISMS)
achieved as a security
credential

220
Structure Of An IT Team

• Typical organogram of
an IT team
• Job functions
• Additional tasks
• Large sized org
• Medium sized org
• Small sized org

221
Structure Of An IT Team

GENERAL STRUCTURE

CIO

Executive Asst.

GM Networks Procurement/
GM IT GM Software GM PMU/
& GM IT Services IT Security
Operations Development Business Tech Finance
Infrastructure

222
Structure Of An IT Team

JOB FUNCTIONS

CIO

Executive Asst.

GM Networks IT Procurement/
GM IT GM Software GM PMU/
& GM IT Services IT Security
Operations Development Business Tech Finance
Infrastructure

Networks, Software Web Proxy, Project Vendor

Data Center Security
Capacity Acquisition & Email, Service Management/ Interaction,
Servers Uptime Business Interface function
Planning Dev. Desk Procurement

223
Structure Of An IT Team

ADDITIONAL TASKS
CIO

Executive Asst.

GM Networks IT Procurement/
GM IT GM Software GM PMU/
& GM IT Services IT Security
Operations Development Business Tech Finance
Infrastructure

Networks, Software Web Proxy, Project Vendor Security

Data Center
Capacity Acquisition & Email,, Service Management/ Interaction,
Servers Uptime Business Interface function
Planning Dev. Desk Procurement

Nationwide Database ops, Thin Clients, Call

Steering
application Software CRs Center Vendor IT accounting Compliance
connectivity Committee
support Mngmt

224
Structure Of An IT Team

LARGE ORG
(150 IT Staff)
CIO

Executive Asst.

GM Networks IT Procurement/
GM IT GM Software GM PMU/
& GM IT Services IT Security
Operations Development Business Tech Finance
Infrastructure

Networks, Software Web Proxy, Project Vendor

Data Center Security
Capacity Acquisition & Email, Service Management/ Interaction,
Servers Uptime Business Interface function
Planning Dev. Desk Procurement

225
Structure Of An IT Team

MEDIUM ORG
(15-20 IT Staff) Head Of IT

Head Of
Head Of Applications Head Of IT Support
IT Infrastructure

All IT Infrastructure, All Internal &

Servers, Software Acquisition
Customer Support
& Dev., Databases
Data Center Functions, Helpdesk

226
Structure Of An IT Team

SMALL ORG
COO
(7-8 IT Staff)

Head Of
IT Infrastructure & Head Of Applications
Support

All IT Infrastructure,
Software Acquisition
Servers, Data Center,
& Dev., Databases
IT Helpdesk & Support

227
Structure Of An IT Team

• IT teams come in various

structures, however
there are set industry
best-practices and
organizations should
follow tried & tested
best-practices
• IT is today an enabler
forming the engine for
business automation,
but also carries with it
security hazards
228
Objectives, Performance KPIs, Priorities Of IT

• IT is a challenging
domain which requires
skill, experience,
structure, and spending
to run efficiently
• Business is making steep
demands on IT for agile
delivery of applications
in order to keep up with
competition
• Running IT requires a
diverse skillset
229
Objectives, Performance KPIs, Priorities Of IT

• Primary objective set for

IT by management is to:
– Setup the
infrastructure with
least cost in the
minimum time
– To maintain the
network with
minimum disruption
and maximum
performance
requiring the least
resources 230
Objectives, Performance KPIs, Priorities Of IT

• Performance KPIs:
– Minimal network
disruption
– Timely completion of
new projects
– Quick and efficient
changes to existing
applications (change-
requests) to meet
business
requirements

231
Objectives, Performance KPIs, Priorities Of IT

• Priorities of IT:
– To meet the
performance KPIs
– To meet adhoc and
unplanned business
requirements

• Note that security

figures nowhere in the
objectives, performance
KPIs, or priorities of IT
teams
232
Objectives, Performance KPIs, Priorities Of IT

• General IT teams
performance in Banking:
– Extremely large
number of
applications
(hundreds) & legacy
– Heavy-weight
business teams and IT
seen as a cost-center
– Technologists
generally poor at
banking (business)
233
Objectives, Performance KPIs, Priorities Of IT

• General IT teams
performance in Telcos:
– More professional
and qualified
workforce
– Most telco have been
setup in the last 10
years so have clean
greenfield networks
(no legacy)
– Fewer applications; IT
supports business
234
Objectives, Performance KPIs, Priorities Of IT

• General IT teams
performance in
Enterprise:
– Competence and
professionalism of IT
teams matches
culture of
organization
– IT efficiency driven by
top management
commitment and
interest
235
Objectives, Performance KPIs, Priorities Of IT

• Security posture:
– Surprisingly in 95% of
all orgs in Pakistan
(all types and sizes),
security posture has
been found to be
deficient
– Lack of awareness in
the country has
contributed to this
deficient and poor
security posture
236
IT Team Interaction With Other Stakeholders

• IT budget/projects
approved by IT Steering
Committee (annual)
• Business requirements &
new projects
• Audit & compliance
requirements
• Expansion (branches) &
maintenance
• IT support for
computing (helpdesk)
• Business continuity & DR
237
IT Team Interaction With Other Stakeholders

• IT budget/projects
approved by IT Steering
Committee (annual):
– Capex and opex
layout
– Includes new projects
& licensing /
maintenance of
operations
– New hirings

238
IT Team Interaction With Other Stakeholders

• Business requirements &

new projects:
– New upcoming
business projects
– Change requests
(CRs) and expansion
of existing business
projects
– Vendor management
for business solutions
– UAT (testing) of
business applications
239
IT Team Interaction With Other Stakeholders

• Audit & compliance

requirements:
– External audit
– Internal audit
– Compliance
– Information security
& risk depts

240
IT Team Interaction With Other Stakeholders

• Expansion (branches) &

maintenance:
– IT requirements for
business expansion
(new branches, new
locations, new
territories)
– Maintenance of
existing IT
infrastructure (UPS,
networking,
bandwidth circuits)
241
IT Team Interaction With Other Stakeholders

• IT support for
computing (helpdesk):
– New software and
versions rollout (e.g.
migration of AV or
email program)
– IT support for
business functions
(application not
working, speed slow,
etc)
– Software bugs
242
IT Team Interaction With Other Stakeholders

• Business continuity &

DR:
– DR is a technology
function for which
interaction with
business functions is
required (testing)
– Business continuity is
handled under
business operations
for which IT also
participates
243
Security Overlay Of Enterprise (Part 1)

• How is the enterprise

secured with the help of
various components and
security design ?

244
Security Overlay Of Enterprise (Part 1)

Regional Office ISP

CHOKED CIRCUIT, WEB ATTACKS, DDOS,
MALWARE Web Security
USER GW APT ATTACKS
UTM PRODUCTIVITY Router
ZERO-DAY ATTACKS
PROTECTION
Web Server

WEBSITE
HACKING App FW DMZ FW
& DEFACEMENT
DATA LEAKAGE
SPAM, SPEAR-
Email Antispam
PHISHINGGW IPS
ATTACKS N-DLP

WAN/Extranet
& DR Switch
Access
Switch
SIEM
NAC DC Switch/FW
INFECTED SYSTEM NON-COMPLIANT INFECTED SERVER DATA THEFT,
SYSTEM UNAUTHORIZED
ACCESS
MALICIOUS
USER VM NMS
Security Overlay Of Enterprise (Part 1)

Security Challenge Location/Device Security Solution

Perimeter Filtering Edge Router Access Lists &
Various RFCs
DDOS Attack Edge Router/DDOS DDOS Protection
Protection Solution
Zero-Day Attack / Edge Device / Edge Zero-Day/APT
APT Attack NGN FW Attack Prevention
Web Server Attacks DMZ / Web Web Application
Application FW Attack Prevention
Email SPAM & DMZ / Email Email Security
Malware/Phishing Security GW

246
Security Overlay Of Enterprise (Part 1)

Security Challenge Location/Device Security Solution

Web-based User DMZ / Web Security Web Filtering &
Attacks GW Malware Protection
System Malware System AV
User Network Access At Aggregation Point Network Admission
Control Of User Access Control (NAC)
User Controls For System Data Loss Prevention
USB/Media, HDD (DPL) – System Level
Encrypt
Remote Branch Intranet-Extranet Unified Threat
Connectivity/ Edge / UTM Management (UTM)
Malware Solution
247
Security Overlay Of Enterprise (Part 1)

Security Challenge Location/Device Security Solution

Data Center Data Center FW Data Center FW
Unauthorized Access Filtering & Malware
/ Malware Protection
Data Exfiltration Edge / Network DLP Network DLP Solution
Event Monitoring & Data Center / SIEM Security Info. & Event
Detection Management
Unpatched Systems Data Center / VM Vulnerability Scanner
Server Integrity Data Center / HIPS Host Intrusion
Monitoring & IPS Prevention System
Filtering (HIPS)

248
Security Overlay Of Enterprise (Part 1)

• How is the enterprise

secured with the help of
various components and
security design ?

249
Security Overlay Of Enterprise (Part 2)

• What are the traffic

flows specific to good
security design ?

250
Security Overlay Of Enterprise (Part 2)

251
Security Overlay Of Enterprise (Part 2)

252
Security Overlay Of Enterprise (Part 2)

253
Security Overlay Of Enterprise (Part 2)

254
Security Overlay Of Enterprise (Part 2)

255
Security Overlay Of Enterprise (Part 2)

256
Security Overlay Of Enterprise (Part 2)

257
Security Overlay Of Enterprise (Part 2)

258
Security Overlay Of Enterprise (Part 2)

259
Security Overlay Of Enterprise (Part 2)

• Granular access list

filtering and a well
planned and tested
security design are keys
to success

260
Security Overlay Of Enterprise (Part 3)

• General security design

principles

261
Security Overlay Of Enterprise (Part 3)

262
Security Overlay Of Enterprise (Part 3)

1. Block unauthorized
traffic at edge (direct
public www traffic to
DMZ web server)
2. Edge malware
protection & DMZ
3. Web & email are
important vectors to
secure against malware
and attacks
4. NGN-FW (may be found
in a UTM as well)
263
Security Overlay Of Enterprise (Part 3)

5. Web security GW and

email anti-spam GW
solutions
6. Granular access list
filtering in edge and
data center FWs
(source, destination,
and traffic type/port)
7. A good AV solution,
and keep virus
definitions updated
8. Monthly VM scans
264
Security Overlay Of Enterprise (Part 3)

More Advanced Security:

• APT & zero-day attack
prevention
• SIEM solution
• Network DLP and
system DLP
• Network admission
control (NAC)
• Server HIPS
• Web application FW
(WAF)
265
Security Overlay Of Enterprise (Part 3)

Even More Advanced

Security:
• Network forensics
• Host-based APT / IoC
solution
• Identity & access
management (IAM)
• Privileged identity
management (PIM)
• Database security
solution
266
Security Overlay Of Enterprise (Part 3)

• Further guidelines for

strong security controls:
– CIS 20 critical security
controls

267
Security Overlay Of Enterprise (Part 3)

• Further guidelines for

strong security controls:
– CIS 20 critical security
controls

268
Security Overlay Of Enterprise (Part 3)

• Further guidelines for

strong security controls:
– CIS 20 critical security
controls

269
High Availability (HA)

• What is high availability

(HA) ?
– High availability of a
system or component
assures a high level of
operational
performance
(uptime) for a given
period of time

https://www.digitalocean.com/community/tutorials/
what-is-high-availability

270
High Availability (HA)

• High availability is a
strategy
• Fault tolerance refers to
a system designed in
such a way that when
one component fails, a
backup component
takes over operations
immediately to avoid
loss of service

271
High Availability (HA)

https://jazz.net/wiki/bin/view/Deployment/HighAvailability

272
High Availability (HA)

• High availability is
designed in the
following manner:
– System level (data
center or service)
– Device level (within
single device)
– Device level
(combination of
multiple redundant
devices)
– Alternate site level
273
High Availability (HA)

• High availability and

fault tolerance:
– Designed to minimize
downtime with the
help of redundant
components
• Disaster Recovery:
– A pre-planned
approach for re-
establishing IT
functions at an
alternate site
274
High Availability Design

• Lets look at various HA

designs

275
High Availability Design
ACTIVE-STANDBY SERVER CONFIGURATION

https://www.getfilecloud.com/blog/2015/12/architectural-patterns-for-high-availability/#.WVeex4SGPIU

276
High Availability Design
ACTIVE-ACTIVE SERVER CONFIGURATION

https://www.getfilecloud.com/blog/2015/12/architectural-patterns-for-high-availability/#.WVeex4SGPIU

277
High Availability Design
N+1 UPS REDUNDANT CONFIGURATION

https://www.getfilecloud.com/blog/2015/12/architectural-patterns-for-high-availability/#.WVeex4SGPIU

278
High Availability Design
ACTIVE-STANDBY SUN SERVER CLUSTER

https://docs.oracle.com/cd/E19693-01/819-0992/6n3cn7p3n/index.html
279
High Availability Design
NETWORK REDUNDANT CONFIGURATION

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/HA_campus_DG/hacampusdg.html
280
High Availability Design
DATA CENTER REDUNDANT CONFIGURATION

https://www.getfilecloud.com/blog/2015/12/architectural-patterns-for-high-availability/#.WVeex4SGPIU
281
High Availability Design

• Don’t forget to test the

failover and fault
tolerant capabilities of
our network

282
Site Redundancy

• Three types of
redundant site models:
• Hot site
• Cold site
• Warm site

283
Site Redundancy

http://www.seguetech.com/three-stages-disaster-recovery-sites/
285
Site Redundancy

HYBRID SITE REDUNDANCY

ARCHITECTURE

DR SITE
PRIMARY SITE

SECONDARY SITE

287
Site Redundancy

• RTO:
– Max amount of time,
following a disaster,
for an organization to
recover files from
backup storage and
resume normal
operations (max
amount of downtime
an organization can
handle)
http://searchdisasterrecovery.techtarget.com/definition/disaster-
recovery
288
Site Redundancy

• RPO:
– Max age of files that
an organization must
recover from
backup storage for
normal operations to
resume after a
disaster (minimum
frequency
of backups)

http://searchdisasterrecovery.techtarget.com/definition/disaster-
recovery
289
Site Redundancy

• Example:
– If an organization has
an RTO of two hours,
it cannot be down for
longer than that.
– if an organization has
an RPO of four hours,
the system must back
up at least every four
hours.

http://searchdisasterrecovery.techtarget.com/definition/disaster-
recovery
290
High Availability & Redundancy Case Study

• Mid-sized enterprise
• 3000 total staff
• 2000 IT users
• 30 IT team
• One DC, one secondary
(regional) data center
(warm site & backup
site), and one DR site
• 99.9 % uptime designed

291
High Availability & Redundancy Case Study

HYBRID SITE REDUNDANCY

ARCHITECTURE

DR SITE
PRIMARY SITE

SECONDARY SITE

292
High Availability & Redundancy Case Study

• IT setup:
– Oracle ERP system
– Sharepoint portal for
workflow automation
– Head office in Karachi
– Primary DC in Karachi
(hosted with 3rd
party)
– DR site in Lahore
(hosted with 3rd
party)
– Secondary DC in ISB 293
High Availability & Redundancy Case Study

• Primary DC:
– Fully redundant (HA)
design for network,
systems, and storage
– Cisco HA (active-
standby)
– Oracle cluster
technology for
servers and DBs
(active-active)

294
High Availability & Redundancy Case Study

• Secondary DC (ISB):
– All network, systems,
and storage backups
maintained here
(also mirrored in DR)
– Regional servers (AD,
file servers, etc)
– Test & staging
environment here
(segregated from
main DC)
– Office working space
295
High Availability & Redundancy Case Study

• DR site
– Bare minimum HA (as
DR site) for network,
systems, and storage
– Mirror of all backups
from secondary site
maintained here
– Office working space
– Some additional
computing capacity
(minimum for
unforeseen events)
296
High Availability & Redundancy Case Study

• DR site
– All critical systems
and devices
maintained in active
mode (hot) for
immediate DR
failover
– Data maintained as
per org RTO/RPO for
immediate utility
– Monthly DR
testing/drill
297
High Availability & Redundancy Case Study

• Backup strategy:
– Primary backup at
secondary DR site
– Mirror at DR site
– For critical systems:
monthly full backup,
daily incremental
backup
– For critical network
devices: weekly full
backup; backups
based on change
298
Backup Strategies

• Backup considerations:
– What to backup ?
– Backup location ?
– Freq of backup ?
– Backup operator ?
– Backup checker
(verification) ?
– Backup test & security
methods ?
– Technology & tools
used for backup ?
http://www.techsoup.org/support/articles-and-how-
tos/your-organizations-backup-strategy
299
Backup Strategies

• What to backup ?
– Network
configuration files
– OS backups
– Database &
application data
– Other critical data

300
Backup Strategies

• Backup location ?
– Onsite for faster
recovery
– Offsite for DR
purposes
– Intermediate site
(secondary site) as a
middle-ground

301
Backup Strategies

• Backup frequency ?
– Depends entirely on
criticality of data,
nature of the
information being
backed up (how
frequently does info
change ?), storage
space available, and
overall backup plan

302
Backup Strategies

• Backup operator and

checker ?
– Backups should
ideally be automated
– Operator should
ensure that backups
have taken place
– Verifier should sign-
off that check has
been made

303
Backup Strategies

• Backup testing &

security considerations:
– Backup testing
should be performed
on a periodic basis
and greater than the
frequency of the DR
drill (e.g. DR drill once
a QTR, & testing once
a month)
– Encryption &
compression
304
Backup Strategies

• Backup tools and

technology:
– Consider NAS, SAN,
SCSI/IDE/SATA drives
– Various tools and
technology to
perform full,
differential, and
incremental backups
– Encryption
– Access control
– Alerts & reporting
305
Security Tools Used In An Enterprise

• Typical security tools

used in an enterprise:
– Enterprise antivirus
– MS Active Directory
(AD)
– Vulnerability manager
– Logs management
– Network &
performance
monitoring
– Automated backups
306
Security Tools Used In An Enterprise
• Typical security tools
used in an enterprise:
– Microsoft Windows
Server Update
(WSUS) & SCM/SCCM
– Asset management
software
– Trouble-ticket system
– SIEM
– DLP
– Encryption software
– 2FA
307
Security Tools Used In An Enterprise
Tool Function Complexity Examples
level
Enterprise System Low Sophos, Avast,
Antivirus antivirus and Kaspersky,
malware Symantec,
protection McAfee

MS AD (GP) Pushing out Low Pushing out

security windows
policies password
through AD settings
GPO
VM Vulnerability Medium OpenVAS,
scanning Nessus, Qualys
308
Security Tools Used In An Enterprise
Tool Function Complexity Examples
level
Log Logs Medium OSSEC
Management collection &
analysis
Network & NOC Low CACTI, ORION
Performance
Management
Automated Backups Medium Veritas
Backups
Windows Windows Low WSUS, SCCM,
Updates Updates & SCM
Configs
309
Security Tools Used In An Enterprise
Tool Function Complexity Examples
level
Asset Dtect, Track, Medium Asset Explorer,
Management Manage Assets PulseWay

Trouble Ticket TT Workflow Medium BMC Track-IT,

System SysAid
SIEM Event High OSSEC, Splunk,
Management Q-Radar
DLP Data Loss High Symantec,
Prevention
Encryption Encryption High TrueCrypt
Software

310
Security Tools Used In An Enterprise

• Lots of tools available

• People, process,
technology

311
Security Tools – Typical Enterprise (Part 1)

• Gartner Magic Quadrant

reports
• List of some other
industry reports
Security Tools – Typical Enterprise (Part 1)

Endpoint
Protection
Jan, 2017
Gartner

Trend Micro
Sophos
Kaspersky
Symantec

https://www.gartner.com/doc/reprints?id=1-3SCOKCW&ct=170131&st=sb
313
Security Tools – Typical Enterprise (Part 1)

Secure Web
GW
June, 2017
Gartner

Symantec
Zscaler

https://www.gartner.com/doc/reprints?id=1-3SCOKCW&ct=170131&st=sb
314
Security Tools – Typical Enterprise (Part 1)

UTM
(SMB Multi-function
FW)
June, 2017
Gartner

Fortinet
Checkpoint

https://www.gartner.com/doc/reprints?id=1-3SCOKCW&ct=170131&st=sb
315
Security Tools – Typical Enterprise (Part 1)

Enterprise
Network FWs
May 2016
Gartner

Palo Alto
Networks

https://www.gartner.com/doc/reprints?id=1-3805JH8&ct=160525&st=sb
316
Security Tools – Typical Enterprise (Part 1)

SIEM
AUGUST 2016
GARTNER

IBM
Splunk
LogRhythm

https://www.gartner.com/doc/reprints?id=1-2JNR3RU&ct=150720&st=sb
317
Security Tools – Typical Enterprise (Part 1)

DLP
FEB 2017
GARTNER

-Symantec
-Digital
Guardian
-Forcepoint

https://www.gartner.com/doc/reprints?id=1-3UKD88K&ct=170301&st=sb
318
Security Tools – Typical Enterprise (Part 1)

APPLICATION
SECURITY
TESTING
FEB 2017
GARTNER

HPE
Veracode
IBM

https://www.gartner.com/doc/reprints?id=1-3UKD88K&ct=170301&st=sb
319
Security Tools – Typical Enterprise (Part 1)

• View and read various

industry reports for
security tools
comparisons:
– Gartner
– Forrestor
– Security Awards
– Lab reports: ICSA,
END NSS

320
Security Tools – Typical Enterprise (Part 2)

• NSS Labs Security Value

Map (SVM)
• Some additional Gartner
Magic Quadrant reports

321
Security Tools – Typical Enterprise (Part 2)

NGFW
NSS Labs
2016

Hillstone
Huawei
Fortinet

https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/Brochure-NSS-Lab-Independent-Validation.pdf

322
Security Tools – Typical Enterprise (Part 1)

Enterprise
Mobility
Management
(EMM)
June 2017

VMWARE
MobileIron
IBM
Blackberry

https://www.gartner.com/doc/reprints?id=1-42A6Q84&ct=170607&st=sb
323
Security Tools – Typical Enterprise (Part 1)

DC Backup
& Recovery
June 2016

Commvault
IBM
EMC
Veritas

https://www.gartner.com/doc/reprints?id=1-38JSYOW&ct=160602&st=sb
324
Security Tools – Typical Enterprise (Part 1)

Identity,
Governance
Feb 2017

Sailpoint
Oracle
CA
IBM

https://www.sailpoint.com/identity-governance-leader-gartner-magic-quadrant/
325
Security Tools – Typical Enterprise (Part 1)

Network Perf
Monitoring
& Diagnostics
Feb 2017

NetScout
Viavi
Riverbed

https://www.gartner.com/doc/reprints?id=1-3TYUQFH&ct=170221&st=sb
326
Security Tools – Typical Enterprise (Part 1)

Web App FW
July 2016

Imperva

https://www.gartner.com/doc/reprints?id=1-3TYUQFH&ct=170221&st=sb
327
Security Tools – Typical Enterprise (Part 2)

• Gartner
• Forrestor
• NSS labs
• ICSA Labs

END

328
What Does “Box Security” Mean ?

• “Box Security” refers to

a prevalent approach in
the industry, especially
in larger organizations in
which the solution for
every security challenge
is in the form of a “box”
or device

329
What Does “Box Security” Mean ?

• Box for :
– Email security
– Web security
– FW
– IPS
– APT attack
prevention
– DDOS prevention
– Network DLP
– Network Forensics
– Others
330
What Does “Box Security” Mean ?

• Security is a
combination of people,
process, and technology
• Industry observation:
most of the devices are
not used to full
capability or capacity
after purchase
• Case in point: SIEM
solution or DB security
solution

331
What Does “Box Security” Mean ?

• “Box security” is not the

silver bullet
• Although many devices
and boxes are required,
they do not ensure a
good security posture
• This approach is
unfortunately promoted
by many vendors who
have equipment to sell
• Consider organizational
maturity & readiness
332
What Does “Box Security” Mean ?

• Other challenges with

“box security”
approach:
– Shortage of staff (IT
& security)
– Training and skill
required to operate
the sophisticated
devices and features

333
What Does “Box Security” Mean ?
1. Security
requirement study

8. Ongoing operations,
change mngmt, audits 2. Solution research

7. Development of 3. Budgeting &

SOP & SECURITY SOLUTION approvals
Commissioning LIFECYCLE

6. Acceptance & Sign- 4. RFP, HLD,

Off (Meeting HLD) Vendor/Tool Selection

5. Installation &
Commissioning +
Training

334
What Does “Box Security” Mean ?

• Device objectives, and

high-level-design (HLD)
should be planned prior
to commissioning
• Min operational baseline
and configuration
should be documented
in SOP
• Device feature set and
configuration audits
should be conducted on
a periodic basis (annual)
335
Best Approach: IT Enterprise Security ?

• The 4-layer security

transformation model is
the only way to
effectively and
practically address
security posture
• 4-layer security
transformation model is
tried & tested for
geographies where the
overall security
awareness & posture is
weak 336
Best Approach: IT Enterprise Security ?

4. Security
Governance

3. Security
Engineering

2.
Vulnerability
Management

1. Security
Hardening
Best Approach: IT Enterprise Security ?

1. Security hardening:
address security
configuration of all IT
assets which security
“boxes” won’t do for
you
2. Vulnerability
management: scanning
to inspect patching of
IT assets (essential)
3. Security engineering
4. Security governance
338
Best Approach: IT Enterprise Security ?

3. Security engineering:
this is where more
serious investments
may be made once
layers 1 & 2 have been
completed
satisfactorily (or are
being addressed)

339
Best Approach: IT Enterprise Security ?

4. Security governance:
ensure the proper
utilization (as
intended), ROI, and
audits of purchased
devices & solutions

Also ensure configs are

as per design, and
SOPs.

340
What Is Disaster Recovery (DR) ?

• What is a disaster ?
– Any significant event
that causes
disruption of
information
technology
processing facilities,
thus affecting the
operations of the
business
https://www.sans.org/reading-
room/whitepapers/recovery/disaster-
recovery-plan-strategies-processes-564
341
What Is Disaster Recovery (DR) ?

• What is disaster
recovery (DR) ?
– DR is an area of
security that allows
an organization to
maintain or quickly
resume mission-
critical (IT) functions
following a disaster
http://searchdisasterrecovery.techtarge
t.com/ definition/disaster-recovery

342
What Is Disaster Recovery (DR) ?

• What could cause the

invocation of a DR
failover to DR site ?
– Natural disasters such
as flood, earthquake,
lightning, storm
– Disaster caused by
human actions such
as riot, fire, terrorist
act, etc

343
What Is Disaster Recovery (DR) ?

• What is the difference

between DR and
business continuity (BC)?
– DR is an IT function,
whereas business
continuity addresses
keeping all essential
aspects of a business
functioning despite
disruptive events (DR
is a part of BC)
https://en.wikipedia.org/wiki/
Disaster_recovery
344
What Is Disaster Recovery (DR) ?

http://grcbizassurance.com/services/disaster-recovery/
345
What Is Disaster Recovery (DR) ?

• Three step process:

– Failover to the DR
site (DR invocation)
– Restoration of the
services/facilities on
primary site
– Recovery (switchover
back to primary site)
https://www.sans.org/reading-
room/whitepapers/recovery/disaster-
recovery-plan-strategies-processes-564

346
What Is Disaster Recovery (DR) ?

• What is a DR plan ?
– A documented,
structured approach
to dealing with
unplanned incidents

http://searchdisasterrecovery.techt
arget.com/definition/disaster-
recovery-plan

347
What Is Disaster Recovery (DR) ?

• DR plan checklist:
– Scope of the activity
– Gathering relevant
network
infrastructure
documents
– Identifying the most
serious threats and
vulnerabilities, and
the most critical
assets
http://searchdisasterrecovery.techtarget.co
m/definition/disaster-recovery-plan
348
What Is Disaster Recovery (DR) ?

– Identifying current
DR strategies
– Identifying
emergency response
team
– Management review
& approval of DR plan
– Testing the plan (drill)
– Updating the plan
– Implementing a DR
plan audit
http://searchdisasterrecovery.techtarget.co
m/definition/disaster-recovery-plan
349
What Is Disaster Recovery (DR) ?

• Sample DR plan
template:
– http://www.it.miami.
edu/_assets/pdf/secur
ity/ITPol_A135-
Disaster%20Recovery
%20Plan%20Example%
202.pdf

350
What is Business Continuity (BC) ?
• What is business
continuity ?
– Business Continuity
(BC) is the capability
of the org to continue
delivery of products or
services at acceptable
predefined levels
following a disruptive
incident (Source: ISO
22301:2012)
http://www.thebci.org/index.php/resource
s/what-is-business-continuity
What is Business Continuity (BC) ?
• What is business
continuity management?
– Holistic management
process that identifies
potential threats to an
organization and the
impacts to business
operations those
threats, if realized,
might cause, and
which provides a …
http://www.thebci.org/index.php/resourc
es/what-is-business-continuity
What is Business Continuity (BC) ?
• What is business
continuity management?
– …framework for
building org resilience
with an effective
response that
safeguards interests
of key stakeholders,
reputation, brand and
value-creating
activities. (Source: ISO
22301:2012)
http://www.thebci.org/index.php/resourc
es/what-is-business-continuity
353
What is Business Continuity (BC) ?

http://www.thebci.org/index.php/resources/what-is-business-continuity
354
What is Business Continuity (BC) ?

• What is a BC plan ?
– A document that
consists of critical
information an
organization needs to
continue operating
during an unplanned
event

http://searchdisasterrecovery.techtarget
.com/definition/business-continuity-
action-plan
355
What is Business Continuity (BC) ?

• What is a BC plan ?
– The BCP should state
essential functions of
the business, identify
which systems and
processes must be
sustained, & detail
how to maintain
them. It should take
into account any
possible business
disruption
http://searchdisasterrecovery.techtarget.com/definition/busine
ss-continuity-action-plan
356
DR In Enterprise Architecture – Part 1

• DR considerations:
– DR plan
– RTO & RPO

357
DR In Enterprise Architecture – Part 1

• DR plan:
– A disaster recovery
policy statement,
plan overview and
main goals of the
plan
– Key personnel and
DR team contact
information

http://searchdisasterrecovery.techtarg
et.com/definition/disaster-recovery

358
DR In Enterprise Architecture – Part 1

• DR plan (contd)…:
– Description of
emergency response
actions immediately
following an incident.
– A diagram of the
entire network and
recovery site.
– Directions for how to
reach the recovery
site.
http://searchdisasterrecovery.techtarg
et.com/definition/disaster-recovery
359
DR In Enterprise Architecture – Part 1

• DR plan (contd)…:
– A list of software and
systems that will be
used in the recovery.
– Sample templates for
a variety of
technology
recoveries, including
technical
documentation from
vendors.
http://searchdisasterrecovery.techtarg
et.com/definition/disaster-recovery
360
DR In Enterprise Architecture – Part 1

• DR plan (contd)…:
– Summary of
insurance coverage.
– Proposed actions for
dealing with financial
and legal issues.
– Ready-to-use forms
to help complete the
plan.

361
DR In Enterprise Architecture – Part 1

http://grcbizassurance.com/services/disaster-recovery/
362
DR In Enterprise Architecture – Part 1

• RTO:
– Max amount of time,
following a disaster,
for an org to recover
files from backup
storage and resume
normal operations;
max amount of
downtime an org can
handle.
http://searchdisasterrecovery.techtarg
et.com/definition/disaster-recovery

363
DR In Enterprise Architecture – Part 1

• RTO:
– If an organization has
an RTO of two hours,
it cannot be down for
longer than that

http://searchdisasterrecovery.techtarg
et.com/definition/disaster-recovery

364
DR In Enterprise Architecture – Part 1

• RPO:
– RPO is the max age of
files that an
organization must
recover from
backup storage for
normal operations to
resume after a
disaster; determines
the minimum
frequency of backups.
http://searchdisasterrecovery.techtarget.
com/definition/disaster-recovery
DR In Enterprise Architecture – Part 1

• RPO:
– For example, if an
organization has an
RPO of four hours,
the system must back
up at least every four
hours

http://searchdisasterrecovery.techtarget.
com/definition/disaster-recovery
366
DR In Enterprise Architecture – Part 2

• DR considerations:
– DR facility
– DR drills & testing
– DR testing checklist
– BC plan alignment

367
DR In Enterprise Architecture – Part 2

• DR facility:
– Location
– Media circuits and
backup circuits
– Power and
environment
– IT data center design
– Based on DR plan
– Operations &
maintenance

368
DR In Enterprise Architecture – Part 2

• DR drills & testing:

– Frequency and
execution of DR drills
as per IT policy of the
org
– Min twice a year and
preferable quarterly
for critical business
reqmts
– Backup testing

369
DR In Enterprise Architecture – Part 2

• DR testing checklist:
– Secure management
approval and funding
for the test.
– Provide detailed
information about
the test.
– Make sure the entire
test team is available
on the planned test
date.
http://searchdisasterrecovery.techtarget.
com/definition/disaster-recovery
370
DR In Enterprise Architecture – Part 2

• DR testing checklist …:
– Ensure your test does
not conflict with
other scheduled tests
or activities.
– Confirm test scripts
are correct.
– Verify that the test
environment is ready.
– Schedule a dry run of
the test.
http://searchdisasterrecovery.techtarget.
com/definition/disaster-recovery
371
DR In Enterprise Architecture – Part 2

• DR testing checklist…:
– Be ready to halt the
test if needed.
– Have a scribe take
notes.
– Complete an after-
action report about
what worked and
what failed.
– Use the test results
to update DR plan
http://searchdisasterrecovery.techtarget.
com/definition/disaster-recovery
372
DR In Enterprise Architecture – Part 2

• BC plan alignment:
– DR is under IT
ownership, whereas
BC is under business
operations ownership
– DR is part of overall
BC
– Both plans must
integrate and align
seamlessly

373
Role Of An IT Asset In Enterprise Security

• What is an IT asset ?
– An IT asset is any
resource such as
hardware, software,
information, human
resource, or facility
owned or utilized by
the organization for
IT processing

374
Role Of An IT Asset In Enterprise Security

1. Planning

7. Retirement
2. Procurement
& Disposal

IT ASSET LIFECYCLE
6. Support &
3. Installation
Maintain

5. Acceptance 4. Secure

375
Role Of An IT Asset In Enterprise Security

1. PLANNING 2. PROCUREMENT 3. INSTALLATION

- Requirements - RFP - Site Preparation
- Owner & Risk Owner - Vendor Selection - Delivery
- High Level Design - PO - Configuration
- Budget Approvals - Contract & SLA - Testing
- Project Planning - Kick-Off Meeting - Commissioning
4. SECURE 5. ACCEPTANCE 6. SUPPORT/MAINTAIN
- Security Controls - Test Scripts - Vendor Support
- Security Checklist - UAT - Maintenance/Repair
- Security SOP - Security Accreditation - Change Requests
- Security Testing - Commissioning Sign-off - Renewals & Upgrades
- Change Management - Regular Updates
7. RETIRE/DISPOSE - Monitoring & Audits
- Decommission
- Dispose/Salvage
- Update Inventory
376
Role Of An IT Asset In Enterprise Security

1. Planning

7. Retirement
2. Procurement
& Disposal

SECURITY DURING
ASSET LIFECYCLE
6. Support &
3. Installation
Maintain

5. Acceptance 4. Secure

377
Role Of An IT Asset In Enterprise Security

• Asset Owner: a person

in the org responsible
for managing an asset
(e.g. for laptop)
• Risk owner: manages
risks associated with the
IT asset. Authorized to
make decisions
associated with
managing risks, and in a
management position

378
Role Of An IT Asset In Enterprise Security

• Acceptable Use (Of IT

Assets):
– Laptops
– Mobiles
– Web browsing
– Email usage
– Servers
– Company data

379
How To Determine Security Posture ?

• Questions to ask:
– Information security
policy ?
– Organization security
culture and tone at
the top ?
– Clearly designated
responsibility for
security ?
– How many staff in
security team [10%]
and their roles ?
380
Case Study: Typical Security Posture

– Security hardening
done on IT assets ?
– Which standard used
for hardening ?
– Internal VM program
?
– Frequency of VM
scanning ?
– Licensed software for
OS/DB/Programs ?

381
Case Study: Typical Security Posture

– Last time penetration

test was conducted
by 3rd party ?
– Maturity of system
security policies
pushed through
AD/GP
– DR and/or backup site
?
– When was the last
time a DR drill was
performed ?
382
Case Study: Typical Security Posture

– Is internal software
developed ? (Secure -
SDLC)
– What is the
mechanism to take
backups of IT assets
and to test backups ?
– What is the maturity
of access control for
users, admins
– Regular audits for
access control ?
383
Case Study: Typical Security Posture

– What type of security

controls
implemented on any
transactional systems
such as mobile
banking or internet
banking (2FA) ?
– Is critical data in org
encrypted ?
– How do you protect
test data ?

384
Case Study: Typical Security Posture

– What is the
mechanism to
perform security
accreditation of new
applications or
systems ?
– Is security embedded
in critical business
processes ?
– Is there a business
continuity and DR
policy / mechanism ?
385
Case Study: Typical Security Posture

– Security standard or
framework followed
for governance ?
– Internal security
awareness program ?
– Maturity of change
management and
incident management
– Board Steering
Committee
(Information
Security)
386
Case Study: Typical Security Posture

• Note: the
implementers of the
security measures are
often not the ones
giving the best answers
• Auditors & compliance
team should also be
queried
• Important question:
have there been any
recent incidents ?

387
Driving Successful Security Transformation

• Critical factors for

successful security
transformation projects:
– Board-level buy-in
and sponsorship
– Regular Board or
Executive
management project
reviews and decisions
– Allocation of
sufficient priority &
resources
388
Driving Successful Security Transformation

• Projects either fail or

succeed before they
begin !

389
Driving Successful Security Transformation

Infosec Head

Manager IT Infra Networks

ISMC
(Linux/Oracle) Manager

Manager IT
Infra
(Win/SQL)

390
Driving Successful Security Transformation
INFORMATION
SECURITY
STAKEHOLDERS MANAGEMENT
COMMITTEE
(ISMC)

IT
SECURITY STEERING
IT TEAMS
PROGRAM COMMITTE
E

BOARD/EXEC
UTIVE

391
Driving Successful Security Transformation

Security
Governance

Security
Engineering

Vulnerability
Management

Security
Hardening

392
Driving Successful Security Transformation
Board
[QTR]

InfoSec Steering
Comm.
[MONTHLY]
Information Security
Management Committee
(ISMC) [WEEKLY]

IT / InfoSec Teams [DAILY]

393
Driving Successful Security Transformation
1. Establish
Track

5. Continuous
2. MSB
Improvement

4. Implement
3. Pilot
Across IT
394
Driving Successful Security Transformation

Weekly ISMC
status
update

Monthly
status
update

IT STEERING COMM. Quarterly

status update

BOARD
395
Driving Successful Security Transformation

• Successful security
transformation projects
can be made successful
with correct
sponsorship, structure,
strategy, and strong
project management

396
Difference Between Patching & Hardening

• Chapter 3
– Security
Transformation Stage
1: Security Hardening
Of IT Assets

397
Revisit Of Security Transformation Model

4. Security
Governance

3. Security
Engineering

2.
Vulnerability
Management

1. Security
Hardening

398
Revisit Of Security Transformation Model

• Security hardening:
– IT assets such as
hardware and
software come with
default (insecure)
configurations which
become the basis for
attacks
– Typical case in point:
username and
password: “admin,
admin”
399
Revisit Of Security Transformation Model

• Security hardening:
– Process of securing a
system by reducing
its surface of
vulnerability, which is
larger when a system
performs more
functions; in principle
a single-function
system is more
secure than a
multipurpose one
(Wikipedia) 400
Revisit Of Security Transformation Model

• Patching: Fixing
vulnerabilities (which
may be exploited by
malware or attackers) in
software or firmware
with vendor released
patches (auto or manual
updates)
• Patches are also called
fixes
https://www.kenexis.com/patching-hardening-
cybersecurity/

401
Revisit Of Security Transformation Model

• Patching considerations:
– Vendors release
patch when they
become aware of a
vulnerability
– Patches may be rolled
up into a release
– Off-the shelf
software works well
but testing reqd for
customized instances
https://www.kenexis.com/patching-hardening-
cybersecurity/
402
Revisit Of Security Transformation Model

• Hardening: includes
additional steps beyond
patching to limit the
ways a hacker or
malware could gain
entry.
• Accomplished by turning
on only the ports and
services required, secure
configuration of services
& additional steps to
limit system access
https://www.kenexis.com/patching-hardening-
cybersecurity/
403
Revisit Of Security Transformation Model

• Note that both

hardening & patching
are required
– Hardening prevents
existing and future
vulnerabilities by
tightening
configuration
– Patching is more of a
vendor driven
process but essential
nonetheless
404
Security Hardening Strategy

• Depending upon the size

and type of the
organization, there will
be dozens, hundreds, or
even thousands of IT
assets to secure
• Priority is a key factor in
all security undertakings
• Prioritize what is most
important and needs to
be done first
• Cascade as we go along
405
Security Hardening Strategy

406
Security Hardening Strategy

• Separate security
engineering (Step 3)
from security hardening
(step 1)
• Security engineering
requires more thorough
working so will slow
down the security
implementation
• Do the low hanging fruit
first (security hardening)

407
Security Hardening Strategy

• Minumum security
baseline (MSB) refers to
the obvious assets
which need to be
secured and the
threshold which is the
minimum expectation
from the security
program

408
Security Hardening Strategy

409
Security Hardening Strategy

TRACK 1: IT INFRASTRUCTURE

TRACK 2: ISMS DOC & PROCESSES

TRACK 3: SOFTWARE APP

TRACK 4: OTHER APPS/UTILITIES/3RD PARTIES

TRACK 5: DESKTOPS & BROWSERS

TRACK 6: VULNERABILITY MANAGEMENT

TRACK 7: MOBILE SECURITY

Security Hardening Strategy

• For a successful security

transformation project,
good planning,
organization, and
effective project
management is essential

411
Pre-requisites For Security Hardening

1. Security program
approved
2. Consultant on board
3. Project kick-off
meeting held
4. ISMC team identified
and their loading for
this project
communicated
5. Appraisal linkage of
core resources
announced by CIO
412
Pre-requisites For Security Hardening

1. Security program
approved
– Project director
– Timeline
– General project
sequence and
strategy
– Understanding of
main players and
roles
– Understanding of
project structure
413
Pre-requisites For Security Hardening

2. Consultant on board
– Expert consultants
in security
transformation can
facilitate the project
success
– Third party &
independent
– Bring a focus on
delivering results
– Strong domain
knowledge
414
Pre-requisites For Security Hardening

3. Project kick-off
meeting held
– Project goals &
mission
– All key stakeholders
made aware of their
roles
– Responsibilities &
authority
– Success criteria &
reporting
mechanism
415
Pre-requisites For Security Hardening

4. ISMC team identified

and their loading for
this project
communicated
– ISMC plays a critical
role
– Cooperation &
teamwork
– Security leadership
culture
– Clarity on goals

416
Pre-requisites For Security Hardening

5. Appraisal linkage of
core resources
announced by CIO
– Broader team
– Announcement by
CIO
– Clarity on evaluation
mechanism

417
Who Will Conduct The Security Hardening ?

• Involvement of various
stakeholders for security
hardening
– Operations teams
– Security team
– IT management
– Consultant
– Business

418
Who Will Conduct The Security Hardening ?

Security IT
IT Ops teams
team management

Consultant Business

419
Who Will Conduct The Security Hardening ?

• IT Operations teams:
– Study the security
controls (CIS/DISA)
– Apply the security
controls in pilot/test
environment
– Report the
completion of control
implementation to
ISMC
– Assist InfoSec team
with validation
420
Who Will Conduct The Security Hardening ?

• InfoSec team:
– Conduct validation of
security controls
implementation
– Acquire checklist of
controls from
relevant IT team
– Document the status
of controls in the
form of a checklist
– Forward validation
report to ISMC
421
Who Will Conduct The Security Hardening ?

• IT management:
– Ensure IT operations
teams receive
required guidance
and support
– Sign-off on change
management
requests
– Assist with planning
down-time and
business related
downtime
422
Who Will Conduct The Security Hardening ?

• Consultant or project
director:
– Drives the security
program
– Ensures that strategy
is aligned with project
objectives
– Ensures process and
activities are moving
at good momentum
as per timeline

423
Who Will Conduct The Security Hardening ?

• Business stakeholders:
– Provide downtime
approvals if required
– Help to engage other
vendors if applicable

424
8 Step Methodology – Security Hardening (1)

• What is the 8 step

security hardening
methodology ?

425
8 Step Methodology – Security Hardening (1)

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

426
8 Step Methodology – Security Hardening (1)

• Purpose:
– Many assets need to
be hardened at
various times, by
various teams, for
various requirements
and projects
– Standardize and
follow a consistent
approach

427
8 Step Methodology – Security Hardening (1)

• Benefits:
– Process for security
hardening
– Discipline to always
follow the same steps
– Helps avoid missing
any steps in the
process
– Gives team clarity on
what to do and what
sequence to follow

428
8 Step Methodology – Security Hardening (1)

• If You Skip This Process:

– Will follow a new
approach every time
– Every resource has
their own method
– Dependence on
resource rather than
the process
– Complicate rather
than simplify
– Divergence in
security activities
429
8 Step Methodology – Security Hardening (1)

HEAD OF DEPT

INFOSEC
ISMC TEAM LEAD IT OPS TEAM
TEAM
• DRIVES THE • MEMBER OF • TEAM THAT • REPORTS TO
PROGRAM ISMC WILL CISO OR
• DECISION • REPORTS TO IMPLEMENT INFOSEC
MAKING HEAD OF THE HEAD
• INCLUDES THE DEPT SECURITY • OR LED BY
ALL 3-4 CONTROLS CONSULTAN
DOMAIN T
TEAM LEADS

430
8 Step Methodology – Security Hardening (1)
STEP DESCRIPTION PERFORMED BY FACILITATED BY
1 IDENTIFY CRITICAL ASSETS ISMC HEAD OF IT SECTION
(& ASSET OWNER)
2 RESEARCH APPLICABLE SECURITY INFOSEC TEAM ISMC
CONTROLS
3 CHECLIST OF APPLICABLE SECURITY INFOSEC TEAM TEAM LEAD
CONTROLS
4 DOCUMENT CONTROLS INTO SOP TEAM LEAD INFOSEC TEAM

5 IMPLEMENT CONTROLS ON TEST IT OPERATIONS TEAM LEAD

SETUP TEAM
6 VALIDATION OF CONTROL INFOSEC TEAM IT OPERATIONS
IMPLEMENTATION TEAM
7 CHANGE MANAGEMENT PROCESS TEAM LEAD ISMC
FOR PRODUCTION
8 PRODUCTION & MONITOR IT OPERATIONS TEAM LEAD
TEAM
431
8 Step Methodology – Security Hardening (1)

• Lets look at the steps in

detail in the next
module

END

432
8 Step Methodology – Security Hardening (2)

• Step 1: Identify Critical

Assets & Asset Owner:
– Asset inventory &
infrastructure
diagram
– Examine risks
– Analyze assets at a
high level and
prioritize
– Minimum security
baseline (MSB)
– Break into phases
433
8 Step Methodology – Security Hardening (2)

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

434
8 Step Methodology – Security Hardening (2)

• Step 2: Research on
applicable security
controls
– CIS, DISA
– Search on google
– Review
standards/framework
s (ISO27001, PCI, etc)
– Look at OWASP, CSA,
NIST, CIS Top 20
– Selection of controls
435
8 Step Methodology – Security Hardening (2)

• Step 3: Checklist of
applicable security
controls
– Checklist for
progress tracking
– Share with
appropriate IT team
– Forms record for
controls trail

436
8 Step Methodology – Security Hardening (2)

• Step 4: Document
controls into SOP
– Enter controls set
into draft SOP
– Who will do what
when, (and briefly
how)
– Get Dept Head
agreement and sign-
off on checklist and
END SOP

437
8 Step Methodology – Security Hardening (3)

• Step 5: Implement
controls on test setup
– Relevant IT team to
implement controls
on test setup
– Update checklist
– Update SOP (if
necessary)
– Send checklist back
to InfoSec team

438
8 Step Methodology – Security Hardening (3)

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

439
8 Step Methodology – Security Hardening (3)

• Step 6: Validation of
control implementation
(by InfoSec team)
– InfoSec resource with
relevant domain
knowledge
– Conduct preparation
before actual
validation (study
controls)
– Update checklist with
status column
440
8 Step Methodology – Security Hardening (3)

• Step 7: Change
management process
for PRODUCTION:
– ISMC receives
validation status from
InfoSec team
– Relevant dept head
takes up change
management process
and prepares for
shifting to PROD
– Rollback, impact etc
441
8 Step Methodology – Security Hardening (3)

• Step 8: Implement on
PROD & monitor:
– Monitor closely for
24-48 hours after
moving to PROD
– Rollback in case of
unforeseen
circumstances
– IT team SOP finalized
END
and now ops task

442
A Look At CIS Security Benchmarks (1)

• Center for Internet

Security (CIS)
– https://www.cisecurit
y.org/cis-benchmarks/
– Fill out your details
and will receive an
email with link

443
A Look At CIS Security Benchmarks (1)

444
A Look At CIS Security Benchmarks (2)

445
A Look At CIS Security Benchmarks (1)

# OPERATING SYSTEMS TOTAL

1 DISTRIBUTION INDEPENDENT LINUX 1
2 MICROSOFT WINDOWS DESKTOP 5
3 DEBIAN LINUX 2
4 UBUNTU LINUX 3
5 AMAZON LINUX 1
6 CENTOS LINUX 2
7 ORACLE LINUX 2

446
A Look At CIS Security Benchmarks (1)

# OPERATING SYSTEMS (CONTD)… TOTAL

8 REDHAT LINUX 3
9 SUSE LINUX 2
10 APPLE OS (UNIX) 5
11 IBM AIX (UNIX) 1
12 ORACLE SOLARIS (UNIX) 3
13 MS WINDOWS SERVER 6
TOTAL BENCH MARKS OPERATING 36
SYSTEMS

447
A Look At CIS Security Benchmarks (1)

448
A Look At CIS Security Benchmarks (1)

449
A Look At CIS Security Benchmarks (1)

# SERVER SOFTWARE TOTAL

1 MICROSOFT IIS (WEB SERVER) 3
2 VMWARE (VIRTUALIZATION) 2
3 MONGODB (DATABASE SERVER) 3
4 IBM DB2 (DATABASE SERVER) 3
5 BIND (DNS SERVER) 1
6 APACHE TOMCAT (WEB SERVER) 2
7 MICROSOFT SQL SERVER (DB SERVER) 3

450
A Look At CIS Security Benchmarks (1)

# SERVER SOFTWARE (CONTD)… TOTAL

8 APACHE (HTTP SERVER) 2
9 DOCKER (VIRTUALIZATION) 5
10 ORACLE (DATABASE SERVER) 3
11 KUBERNETES (VIRTUALIZATION) 1
12 MIT KERBEROS (AUTHENTICATION) 1
13 ORACLE MySQL (DB SERVER) 4
TOTAL BENCH MARKS SERVER 33
SOFTWARE

451
A Look At CIS Security Benchmarks (1)

452
A Look At CIS Security Benchmarks (1)

# CLOUD PROVIDERS TOTAL

1 AMAZON WEB SERVICES 2
TOTAL CLOUD PROVIDERS 2

453
A Look At CIS Security Benchmarks (1)

• Next
module…remaining
categories

END

454
A Look At CIS Security Benchmarks (2)

• Mobile devices, network

devices, desktop
software, multifunction
print devices

455
A Look At CIS Security Benchmarks (2)

# MOBILE DEVICES TOTAL

1 APPLE IOS 5
2 GOOGLE ANDROID 3
TOTAL BENCH MARKS MOBILE DEVICES 8

456
A Look At CIS Security Benchmarks (2)

# NETWORK DEVICES TOTAL

1 CISCO 4
2 PALO ALTO NETWORKS 2
TOTAL BENCH MARKS NETWORK 6
DEVICES

457
A Look At CIS Security Benchmarks (2)

# DESKTOP SOFTWARE TOTAL

1 MICROSOFT OFFICE 13
2 GOOGLE CHROME (WEB BROWSER) 1
3 MS EXCHANGE SERVER 3
4 MS INTERNET EXPLORER 2
5 MOZILLA FIREFOX 2
TOTAL BENCH MARKS DESKTOP 21
SOFTWARE

458
A Look At CIS Security Benchmarks (2)

# MULTIFUNCTION PRINT DEVICES TOTAL

1 MULTIFUNCTION DEVICE 1
TOTAL BENCH MARKS MULTIFUNCTION 1
PRINT DEVICES

459
A Look At CIS Security Benchmarks (2)

460
A Look At CIS Security Benchmarks (2)

461
A Look At CIS Security Benchmarks (2)

462
A Look At CIS Security Benchmarks (2)

463
A Look At CIS Security Benchmarks (2)

464
A Look At CIS Security Benchmarks (1)

• Next module…further
details

END

465
A Look At CIS Security Benchmarks (3)

• CIS Benchmarks
example (Network
Devices)

466
A Look At CIS Security Benchmarks (3)

• June 29, 2016

• 174 pages PDF doc

468
A Look At CIS Security Benchmarks (3)

• Control content:
– Profile applicability
(ASA 8.X, ASA 9.X)
– Description
– Rationale
– Audit
– Remediation
– Default value
– References

469
A Look At CIS Security Benchmarks (3)

• 1.8 (page 88); Session

Timeout
– Profile applicability:
Level 1, Cisco ASA9.X
– Description: Sets the
idle timeout for a
console session
before the security
appliance terminates
it.

470
A Look At CIS Security Benchmarks (3)

• 1.8 (page 88); Session

Timeout
– Rationale: Limiting
session timeout
prevents
unauthorized users
from using
abandoned sessions
to perform malicious
activities.

471
A Look At CIS Security Benchmarks (3)

472
A Look At CIS Security Benchmarks (3)

473
A Look At CIS Security Benchmarks (3)

• 1.8 (page 88); Session

Timeout
– Default Value: The
default timeout is 0,
which means the
console session will
not time out

474
A Look At CIS Security Benchmarks (3)

• 1.8 (page 88); Session

Timeout
– Reference: CLI Book
1: Cisco ASA Series
General Operations
CLI Configuration
Guide, 9.1

475
A Look At CIS Security Benchmarks (4)

• CIS Benchmarks
example (Operating
Systems)
– MS Windows Server
2012-R2

476
A Look At CIS Security Benchmarks (4)

477
A Look At CIS Security Benchmarks (4)

• January 31, 2017

• 760 pages PDF doc

478
A Look At CIS Security Benchmarks (4)

• Profile applicability:
– Level 1 domain
controller
– Level 1 member
server
– Level 2 domain
controller
– Level 2 member
server

479
A Look At CIS Security Benchmarks (4)

• Level 1: Items in this

profile intend to:
– be practical and
prudent;
– provide a clear
security benefit; and
– not inhibit the utility
of the technology
beyond acceptable
means

480
A Look At CIS Security Benchmarks (4)

• Level 2: extends the

Level 1 - profile
– intended for
environments or use
cases where security
is paramount
– acts as defense in
depth measure
– may negatively inhibit
the utility or
performance of the
technology
481
A Look At CIS Security Benchmarks (4)

• Control content:
– Profile applicability
(ASA 8.X, ASA 9.X)
– Description
– Rationale
– Audit
– Remediation
– Impact
– Default value
– References

482
A Look At CIS Security Benchmarks (4)

• 1.1.2 [L1]: Ensure

'Maximum password age'
is set to '60 or fewer
days, but not 0' (Scored)
– Profile applicability:
Level 1 Domain
Controller, Level 1
Member Server

483
A Look At CIS Security Benchmarks (4)

• 1.1.2 [L1] Description:

– This policy setting
defines how long a
user can use their
password before it
expires.
– Values for this policy
setting range from 0
to 999 days. If you set
the value to 0, the
password will never
expire.
484
A Look At CIS Security Benchmarks (4)

• 1.1.2 [L1] Audit:

– Navigate to the UI
Path articulated in
the Remediation
section and confirm it
is set as prescribed.

485
A Look At CIS Security Benchmarks (4)

486
A Look At CIS Security Benchmarks (4)

• 1.1.2 [L1] Default Value:

42 days
• 1.1.2 [L1] Reference: CCE-
37167-4
– Common
Configuration
Enumeration (Unique
identifiers for
common system
config issues)
END

487
A Look At DISA STIGs (1)

• USA DoD
• Security Technical
Implementation Guides
(STIGs)
• Most expansive security
benchmarks available
• Most regularly updated
• Unclassified version
• http://iase.disa.mil/stigs/
Pages/index.aspx
• 425 STIGs available
488
A Look At DISA STIGs (1)

• STIGs master list (A-Z):

– http://iase.disa.mil/sti
gs/Pages/a-z.aspx
• STIG viewer:
– http://iase.disa.mil/sti
gs/Pages/stig-
viewing-
guidance.aspx

489
A Look At DISA STIGs (1)

STIGs HOME
A Look At DISA STIGs (1)

STIGs Master List

491
A Look At DISA STIGs (1)

STIGs Viewer
A Look At DISA STIGs (1)

STIG Viewer Download

493
A Look At DISA STIGs (1)

STIG Library Compilation

494
A Look At DISA STIGs (1)

STIG Viewer Window

A Look At DISA STIGs (1)
Import STIG

496
A Look At DISA STIGs (1)

• Completely different
mechanism for DISA
STIGs

END

497
A Look At DISA STIGs (2)

• STIG content:
– General information
(title)
– Discussion
– Check content
– Fix text
– CCI (References)

498
A Look At DISA STIGs (2)
SEVERITY DISA CATEGORY CODE GUIDELINES
CAT 1 Any vulnerability, the exploitation of which
will directly and immediately result in loss
of Confidentiality, Availability, or Integrity.

CAT 2 Any vulnerability, the exploitation of which

has a potential to result in loss of
Confidentiality, Availability, or Integrity.
CAT 3 Any vulnerability, the existence of which
degrades measures to protect against loss
of Confidentiality, Availability, or Integrity
499
A Look At DISA STIGs (2)

FILTER PANEL

500
A Look At DISA STIGs (2)

CREATE CHECKLIST

501
A Look At DISA STIGs (2)

CHECKLIST

502
A Look At DISA STIGs (2)

• Checklist screens:
– Overall totals
– Target data
– Role
– Finding details
– Comments

503
A Look At DISA STIGs (2)

• Checklist screens
(STATUS):
– Not reviewed
– Open
– Not a finding
– Not applicable

504
A Look At DISA STIGs (2)

Totals

505
A Look At DISA STIGs (2)

Target Data
A Look At DISA STIGs (2)

Status

507
A Look At DISA STIGs (2)

Vuln Information

508
A Look At DISA STIGs (2)

• In the next module lets

look at further details

END

509
A Look At DISA STIGs (3)

• Windows Server 2012 R2

Member Server
– Import STIG
– V1099 (Lockout
duration)

510
A Look At DISA STIGs (2)

511
A Look At DISA STIGs (2)

512
A Look At DISA STIGs (3)

• Rule Title:
– The lockout duration
must be configured
to require an
administrator to
unlock an account
– Severity: CAT II

513
A Look At DISA STIGs (3)

• Discussion:
– The account lockout
feature, when
enabled, prevents
brute-force password
attacks on the
system. This
parameter specifies
the period of time
that an account will
remain locked after
the specified number
514
A Look At DISA STIGs (3)

• Discussion…:
– of failed logon
attempts. A value of
0 will require an
administrator to
unlock the account.

515
A Look At DISA STIGs (3)

• Check Content:
– Verify the effective
setting in Local Group
Policy Editor.
Run "gpedit.msc".

516
A Look At DISA STIGs (3)

• Check Content:
– Navigate to Local
Computer Policy ->
Computer
Configuration ->
Windows Settings ->
Security Settings ->
Account Policies ->
Account Lockout
Policy.

517
A Look At DISA STIGs (3)

• Check Content…:
– If the "Account
lockout duration" is
not set to "0",
requiring an
administrator to
unlock the account,
this is a finding.

518
A Look At DISA STIGs (3)

• Fix Text:
– Configure the policy
value for Computer
Configuration ->
Windows Settings ->
Security Settings ->
Account Policies ->
Account Lockout
Policy -> "Account
lockout duration" to
"0" minutes,

519
A Look At DISA STIGs (3)

• Fix Text….:
– "Account is locked
out until
administrator unlocks
it".
• CCI: NIST SP 800-53
Revision 4 :: AC-7 b

END

520
A Look At DISA STIGs (4)

• Firewall Security
Technical
Implementation Guide
• Vulnerability ID: V-3967
• Rule name: The console
port does not timeout
after 10 mins

521
A Look At DISA STIGs (4)

STIGVIEWER WINDOW

522
A Look At DISA STIGs (4)

• General Information:
– Rule Title: The
network devices
must time out access
to the console port at
10 minutes or less of
inactivity
– STIG ID: NET1624
– Severity: CAT II

523
A Look At DISA STIGs (4)

• Discussion:
– Terminating an idle
session within a short
time period reduces
the window of
opportunity for
unauthorized
personnel to take
control of a
management session
enabled on the
console or console…
524
A Look At DISA STIGs (4)

• Discussion…:
– port that has been
left unattended. In
addition quickly
terminating an idle
session will also free
up resources
committed by the
managed network
device. Setting the
timeout of the
session to 10 minutes
525
A Look At DISA STIGs (4)

• Discussion…:
– or less increases the
level of protection
afforded critical
network components

526
A Look At DISA STIGs (4)

• Check Content:
– Review the
configuration and
verify a session using
the console port will
time out after 10 mins
or less of inactivity.
– If console access is
not configured to
timeout at 10 minutes
or less, this is a
finding.
527
A Look At DISA STIGs (4)

• Fix Text:
– Configure the
timeout for idle
console connection
to 10 minutes or less.

END

528
Comparison of CIS Vs DISA

• Many controls are

common
• Approaches are
different
• Organization styles are
different

529
Comparison of CIS Vs DISA
FEATURE CIS DISA
CONTROL GOOD EXCELLENT
COVERAGE
ORG SUITABILITY SMALL AND LARGE ORGS
MEDIUM ORGS
USER GOOD SATISFACTORY
FRIENDLINESS
UNUSABLE NO YES
TERMINOLOGY
CONTROL DETAIL GOOD SATISFACTORY
TOOLS CAT (COMMERCIAL) SCAP
(MILITARY USE)
530
Comparison of CIS Vs DISA
FEATURE CIS DISA
CONTROL LEVEL 1, LEVEL 2 CAT I - CAT III
PRIORITIZATION
TRACKING EASE CAT TOOL FREE STIG
(COMMERCIAL) VIEWER
(CHECKLIST)
FREQUENCY OF FAIR QUARTERLY
UPDATES
INDUSTRY HIGH VERY HIGH
CREDIBILITY
INDUSTRY HIGH MODERATE
ADOPTION

531
Comparison of CIS Vs DISA

• How to select CIS/DISA:

– Size of organization
– IT infrastructure
extent
– Nature of business
– Security program
goals
– Maturity of IT &
security staff

532
Comparison of CIS Vs DISA

• Rule of thumb:
– Smaller orgs use CIS
– Larger orgs use DISA
– CIS is part of
Homeland Security,
DISA is part of US
Military
– DISA more frequently
updated and
END maintained with
wider coverage

533
Security Hardening – Windows Server 2012R2

• Windows Server 2012 –

R2
• DISA, Release 8
– 28 April 2017
• Domain Controller

534
Security Hardening – Windows Server 2012R2

STIGVIEWER WINDOW
Security Hardening – Windows Server 2012R2

• General Information:
– Rule Title: Autoplay
must be disabled for
all drives
– STIG ID: WN12-CC-
000074
– Severity: CAT I

536
Security Hardening – Windows Server 2012R2

• Discussion:
– Allowing Autoplay to
execute may
introduce malicious
code to a system.
Autoplay begins
reading from a drive
as soon media is
inserted into the
drive. As a result, the
setup file of
programs or ….
537
Security Hardening – Windows Server 2012R2

• Discussion…:
– music on audio media
may start. By default,
Autoplay is disabled
on removable drives,
such as the floppy
disk drive (but not
the CD-ROM drive)
and on network
drives.

538
Security Hardening – Windows Server 2012R2

• Discussion…:
– Enabling this policy
disables Autoplay on
all drives.…

539
Security Hardening – Windows Server 2012R2

• Check Content:
– If the following
registry value does
not exist or is not
configured as
specified, this is a
finding:
– Registry Hive:
HKEY_LOCAL_MACHI
NE

540
Security Hardening – Windows Server 2012R2

• Check Content:
– Registry Path:
\SOFTWARE\Microsof
t\Windows\CurrentVe
rsion\policies\Explore
r\
– Value Name:
NoDriveTypeAutoRun
– Type: REG_DWORD
Value: 0x000000ff
(255)

541
Security Hardening – Windows Server 2012R2

• Fix Text:
– Configure the policy
value for Computer
Configuration ->
Administrative
Templates ->
Windows
Components ->
AutoPlay Policies ->
"Turn off AutoPlay"
to "Enabled:All
Drives".
542
Security Hardening – Windows Server 2012R2

• CCI (Control Correlation

Identifier):
– CCI: CCI-001764
The information
system prevents
program execution in
accordance with
organization-defined
policies regarding
software program
usage and
restrictions…
543
Security Hardening – Windows Server 2012R2

• CCI (Control Correlation

Identifier):
– …and/or rules
authorizing the terms
and conditions of
software program
usage.
NIST SP 800-53
Revision 4 :: CM-7 (2)

END

544
Case Study Security Hardening – Linux

• CIS Benchmarks case

study (Red Hat
Enterprise Linux 7)

545
Case Study Security Hardening – Linux

• January 31, 2017

• 347 pages PDF doc

546
Case Study Security Hardening – Linux

• 5.2.2 (page 258); Ensure

SSH Protocol is set to 2
(Scored)
• Profile applicability:
– Level 1, Server
– Level 1, Workstation

547
Case Study Security Hardening – Linux

• 5.2.2 (page 258); Ensure

SSH Protocol is set to 2
(Scored)
– Description: SSH
supports 2 different
and incompatible
protocols: SSH1 and
SSH2. SSH1 was the
original protocol &
was subject to
security issues. SSH2
is more advanced and
secure. 548
Case Study Security Hardening – Linux

• 5.2.2 (page 258); Ensure

SSH Protocol is set to 2
(Scored)
– Rationale: SSH v1
suffers from
insecurities that do
not affect SSH v2.

549
Case Study Security Hardening – Linux

• 5.2.2 (page 258); Ensure

SSH Protocol is set to 2
(Scored)
– Audit: Run the
following command
and verify that output
matches:
# grep "^Protocol"
/etc/ssh/sshd_config
Protocol 2

550
Case Study Security Hardening – Linux

• 5.2.2 (page 258); Ensure

SSH Protocol is set to 2
(Scored)
– Remediation: Edit the
/etc/ssh/sshd_config
file to set the
parameter as follows:
Protocol 2

551
Case Study Security Hardening – Linux

• 5.2.2 (page 258); Ensure

SSH Protocol is set to 2
(Scored)
– Critical Controls: 3.4
Use Only Secure
Channels For Remote
System
Administration

552
Case Study Security Hardening – Linux

– Critical Controls: 3.4

Perform all remote
administration of
servers, workstation,
network devices, and
similar equipment
over secure channels.
Protocols such as
telnet, VNC, RDP, or
others that do not
actively support
strong encryption
553
Case Study - Security Hardening – Linux

– …should only be
used if they are
performed over a
secondary encryption
channel, such as SSL,
TLS or IPSEC.

554
Security Hardening – Case Study – Solaris

• Solaris 10 X86
• DISA, Release 18
– 28 April 2017

555
Security Hardening – Case Study – Solaris

STIGVIEWER WINDOW

556
Security Hardening – Case Study – Solaris

• General Information:
– Rule Title: All shell
files must have mode
0755 or less
permissive
– STIG ID: GEN002220
– Severity: CAT I

557
Security Hardening – Case Study – Solaris

• Discussion:
– Shells with
world/group-write
permissions give the
ability to maliciously
modify the shell to
obtain unauthorized
access.

558
Security Hardening – Case Study – Solaris

• Check Content:
– If /etc/shells exists,
check the group
ownership of each
shell referenced.
# cat /etc/shells |
xargs -n1 ls -lL
– Otherwise, check any
shells found on the
system.
# find / -name "*sh" |
xargs -n1 ls -lL
559
Security Hardening – Case Study – Solaris

• …Check Content:
– If a shell has a mode
more permissive than
0755, this is a finding

560
Security Hardening – Case Study – Solaris

• Fix Text:
– Change the mode of
the shell
# chmod 0755
<shell>

561
Security Hardening – Case Study – Solaris

• CCI (Control Correlation

Identifier):
– CCI-000225
The organization
employs the concept
of least privilege,
allowing only
authorized accesses
for users (and
processes acting on
behalf of users)
which are necessary...
562
Security Hardening – Case Study – Solaris

• …CCI (Control
Correlation Identifier):
– …to accomplish
assigned tasks in
accordance with
organizational
missions and business
functions

563
Security Hardening – Case Study – Solaris

• …CCI (Control
Correlation Identifier):
– …NIST SP 800-53 ::
AC-6
NIST SP 800-53A ::
AC-6.1
NIST SP 800-53
Revision 4 :: AC-6

564
Case Study Security Hardening – Apache

• CIS Benchmarks case

study (Apache Tomcat 7)

565
Case Study Security Hardening – Apache

• April 26, 2016

• 94 pages PDF doc

566
Case Study Security Hardening – Apache

• 7.7 (page 65); Configure

log file size limit (Scored)
• Profile applicability:
– Level 2

567
Case Study Security Hardening – Apache

• 7.7 (page 65); Configure

log file size limit (Scored)
– Description: By
default, the
logging.properties
file will have no
defined limit for the
log file size. This is a
potential denial of
service attack as it
would be possible
to…
568
Case Study Security Hardening – Apache

• 7.7 (page 65); Configure

log file size limit (Scored)
– Description: …fill a
drive or partition
containing the log
files

569
Case Study Security Hardening – Apache

• 7.7 (page 65); Configure

log file size limit (Scored)
– Rationale:
Establishing a
maximum log size
that is smaller than
the partition size will
help mitigate the risk
of an attacker
maliciously
exhausting disk space

570
Security Hardening – Case Study – Oracle

• Oracle Database 12c

• DISA, Release 18
– 28 April 2017

571
Security Hardening – Case Study – Oracle

STIGVIEWER WINDOW

572
Security Hardening – Case Study – Oracle

• General Information:
– Rule Title: The Oracle
Listener must be
configured to require
administration
authentication
– STIG ID: O121-BP-
022700
– Severity: CAT I

573
Security Hardening – Case Study – Oracle

• Discussion:
– Oracle listener
authentication helps
prevent unauthorized
administration of the
Oracle listener.
Unauthorized
administration of the
listener could lead to
DoS exploits;

574
Security Hardening – Case Study – Oracle

• Discussion…:
– …loss of connection
audit data,
unauthorized
reconfiguration or
other unauthorized
access. This is a
Category I finding
because privileged
access to the listener
is not restricted to
authorized users.
575
Security Hardening – Case Study – Oracle

• Discussion…:
– …Unauthorized
access can result in
stopping of the
listener (DoS) and
overwriting of
listener audit logs.

576
Security Hardening – Case Study – Oracle

• Check Content:
– If a listener is not
running on the local
database host server,
this check is not a
finding

577
Security Hardening – Case Study – Oracle

• …Check Content:
– For Windows hosts,
view all Windows
services with
TNSListener
embedded in the
service name
– The service name
format is:
Oracle[ORACLE_HOM
E_NAME]TNSListener

578
Security Hardening – Case Study – Oracle

• …Check Content:
– View the STIGVIEWER
for Unix hosts…

579
Security Hardening – Case Study – Oracle

• Fix Text:
– By default, Oracle Net
Listener permits only
local administration
for security reasons.
As a policy, the
listener can be
administered only by
the user who started
it. This is enforced
through local
operating system
authentication. 580
Security Hardening – Case Study – Oracle

• Fix Text:
– For example, if user1
starts the listener,
then only user1 can
administer it. Any
other user trying to
administer the
listener gets an error.
The super user is the
only exception.

581
Security Hardening – Case Study – Oracle

• Fix Text:
– Remote administ. of
the listener must not
be permitted. If
listener administ.
from a remote
system is required,
granting secure
remote access to the
Oracle DBMS server
and performing local
administration is
preferred. 582
Security Hardening – Case Study – Oracle

• CCI (Control Correlation

Identifier):
– CCI: CCI-000366
The organization
implements the
security configuration
settings.

583
Security Hardening – Case Study – Oracle

• …CCI (Control
Correlation Identifier):
– …NIST SP 800-53 ::
CM-6 b
NIST SP 800-53A ::
CM-6.1 (iv)
NIST SP 800-53
Revision 4 :: CM-6 b

END

584
Case Study Security Hardening – MS SQL

• CIS Benchmarks case

study (MS SQL Server
2012)

585
Case Study Security Hardening – MS SQL

• September 30, 2016

• 73 pages PDF doc

586
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
• Profile applicability:
– Level 1 database
engine

587
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Description: The sa
account is a widely
known and often
widely used SQL
Server account with
sysadmin privileges.

588
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Rationale: It is more
difficult to launch
password-guessing
and brute-force
attacks against the sa
account if the
username is not
known.

589
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Audit: Use the
following syntax to
determine if the sa
account is renamed:
SELECT name
FROM
sys.server_principals
WHERE sid = 0x01;

590
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Audit: …A name of sa
indicates the account
has not been
renamed

591
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Remediation: Replace
the different_user
value within the
below syntax and
execute rename the
sa login:
ALTER LOGIN sa WITH
NAME =
<different_user>;
592
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Impact: It is not a
good security
practice to code
applications or scripts
to use the sa
account…

593
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Impact: …However, if
this has been done
renaming the sa
account will prevent
scripts and
applications for
authenticating to the
database server and
executing required
tasks or functions. 594
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– Default Value: By
default, the 'sa‘
account name is 'sa'

595
Case Study Security Hardening – MS SQL

• 2.14 Ensure 'sa' Login

Account has been
renamed (Scored)
– References:
https://msdn.microso
ft.com/en-
us/library/ms144284(v
=sql.110).aspx
(Choose An
END Authentication
Mode)

596
Security Hardening – Case Study – Oracle

• Oracle database 11.2g

• DISA, Release 11
– 28 April 2017

597
Security Hardening – Case Study – Oracle

STIGVIEWER WINDOW

598
Security Hardening – Case Study – Oracle

• General Information:
– Rule Title: The Oracle
REMOTE_OS_ROLES
parameter must be
set to FALSE.
– STIG ID: O112-BP-
022000
– Severity: CAT I

599
Security Hardening – Case Study – Oracle

• Discussion:
– Setting
REMOTE_OS_ROLES
to TRUE allows
operating system
groups to control
Oracle roles. The
default value of
FALSE causes roles to
be identified and
managed by the
database…
600
Security Hardening – Case Study – Oracle

• Discussion…:
– …If
REMOTE_OS_ROLES
is set to TRUE, a
remote user could
impersonate another
operating system
user over a network
connection.

601
Security Hardening – Case Study – Oracle

• Check Content:
– From SQL*Plus:
select value from
v$parameter where
name =
'remote_os_roles';
– If the returned value
is not FALSE or not
documented in the
System Security Plan
as required, this is a
Finding
602
Security Hardening – Case Study – Oracle

• Fix Text:
– Document remote OS
roles in the System
Security Plan.
– If not required,
disable use of remote
OS roles.
– From SQL*Plus:
alter system set
remote_os_roles =
FALSE scope = spfile;

603
Security Hardening – Case Study – Oracle

• Fix Text:
– The above SQL*Plus
command will set the
parameter to take
effect at next system
startup

604
Security Hardening – Case Study – Oracle

• CCI (Control Correlation

Identifier):
– CCI: CCI-000366
The org implements
the security
configuration
settings.
NIST SP 800-53 :: CM-
6b
END NIST SP 800-53A ::
CM-6.1 (iv)
NIST SP 800-53
Revision 4 :: CM-6 b 605
Case Study Security Hardening – Windows 8

• CIS Benchmarks case

study (Windows 8.1)

606
Case Study Security Hardening – Windows 8

• January 31, 2017

• 891 pages PDF doc

607
Case Study Security Hardening – Windows 8

• 18.9.70.3 Ensure
'Automatically send
memory dumps for OS-
generated error reports'
is set to 'Disabled'
(Scored)
• Profile applicability:
– Level 1
– Level 1 + BitLocker

608
Case Study Security Hardening – Windows 8

• 18.9.70.3 Ensure
'Automatically send
memory dumps for OS-
generated error reports'
is set to 'Disabled'
(Scored)
• Description: This policy
setting controls whether
memory dumps in
support of OS-
generated error reports
can be sent to..
609
Case Study Security Hardening – Windows 8

• Description…:
…Microsoft
automatically. This
policy does not apply to
error reports generated
by 3rd-party products, or
additional data other
than memory dumps.
– The recommended
state for this setting
is: Disabled.

610
Case Study Security Hardening – Windows 8

– Rationale: Memory
dumps may contain
sensitive information
and should not be
automatically sent to
anyone.

611
Case Study Security Hardening – Windows 8

– Audit: Navigate to the

UI Path articulated in
the Remediation
section and confirm it
is set as prescribed.
This group policy
setting is backed by
the following registry
location:

612
Case Study Security Hardening – Windows 8

– Audit:
HKEY_LOCAL_MACH
INE\SOFTWARE\Poli
cies\Microsoft\Win
dows\Windows
Error
Reporting:AutoAppr
oveOSDumps

613
Case Study Security Hardening – Windows 8

– Remediation: To
establish the
recommended
configuration via GP,
set the following UI
path to Disabled:

614
Case Study Security Hardening – Windows 8

– Remediation:
Computer
Configuration\Policie
s\Administrative
Templates\Windows
Components\Windo
ws Error
Reporting\Automatic
ally send memory
dumps for OS-
generated error
reports
615
Case Study Security Hardening – Windows 8

– Impact: All memory

dumps are uploaded
according to the
default consent and
notification settings

616
Case Study Security Hardening – Windows 8

– Default Value:
Enabled. (Any
memory dumps
generated for error
reports by Microsoft
Windows are
automatically
uploaded, without
notification to the
user.)

617
Case Study Security Hardening – Windows 8

• References:
– CCE-33927-5
– Critical Controls:
13 Data Protection

END

618
Security Hardening – Case Study – Win 10

• Windows 10
• DISA, Release 9
– 28 April 2017

619
Security Hardening – Case Study – Win 10

STIGVIEWER WINDOW

620
Security Hardening – Case Study – Win 10

• General Information:
– Rule Title: The
antivirus program
must be configured
to update signature
files on a daily basis.
– STIG ID: WN10-00-
000046
– Severity: CAT I

621
Security Hardening – Case Study – Win 10

• Discussion:
– Virus scan programs
are a primary line of
defense against the
introduction of
viruses and malicious
code that can destroy
data and even render
a computer
inoperable. Using a
virus scan program
provides the ability
to… 622
Security Hardening – Case Study – Win 10

• Discussion…:
– …detect malicious
code before
extensive damage
occurs. Updated virus
scan data files help
protect a system, as
constantly changing
malware is identified
by the antivirus
software vendors

623
Security Hardening – Case Study – Win 10

• Check Content:
– This requirement is
NA if McAfee
VirusScan Enterprise
(VSE) is used. It will
be addressed with
the corresponding
McAfee VSE STIG.
– Configurations will
vary depending on
the product.

624
Security Hardening – Case Study – Win 10

• Fix Text:
– Configure the
antivirus program to
update signature files
at least daily. Ensure
the updates are
occurring on timely
basis and are not
more than a week
old.

625
Security Hardening – Case Study – Win 10

• CCI (Control Correlation

Identifier):
– CCI: 000366
The org implements
the security config
settings.
NIST SP 800-53 :: CM-
6b
NIST SP 800-53A ::
END CM-6.1 (iv)
NIST SP 800-53
Revision 4 :: CM-6
626
Case Study Security Hardening – Apache

• 7.7 (page 65); Configure

log file size limit (Scored)
– Audit: Validate the
max file limit is not
greater than the size
of the partition
where the log files
are stored.

627
Case Study Security Hardening – Apache

• 7.7 (page 65); Configure

log file size limit (Scored)
– Remediation: Create
the following entry in
your
logging.properties
file. This field is
specified in bytes:
java.util.logging.FileHa
ndler.limit=10000

628
Case Study Security Hardening – Apache

• 7.7 (page 65); Configure

log file size limit (Scored)
– Default Value: No
limit by default

629
Case Study Security Hardening – MS Exchange

• CIS Benchmarks case

study (MS Exchange
Server 2016)

630
Case Study Security Hardening – MS Exchange

• November 16, 2015

• 66 pages PDF doc

631
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
• Profile applicability:
– Level 1 - Mailbox
Services Security

632
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Description: This
setting allows you to
ensure that items are
not permanently
deleted until the
database has been
backed up.
633
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Rationale: To ensure
that accidentally
deleted items can be
recovered, they
should not be
permanently deleted
until the database is
backed up. 634
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Audit: Execute the
following cmdlet and
ensure
RetainDeletedItemsU
ntilBackup is set to
'True':

635
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Audit: …Get-
MailboxDatabase
<Mailbox Database
Name> | fl -property
RetainDeletedItemsU
ntilBackup

636
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Remediation: To
implement the
recommended state,
execute the following
PowerShell cmdlet:

637
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Remediation: Set-
MailboxDatabase
<Mailbox Database
Name> -
RetainDeletedItems
UntilBackup $true

638
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Impact: The impact of
enabling this setting
should be minimal.
More storage space
will be required until
any pending items
are permanently
deleted. 639
Case Study Security Hardening – MS Exchange

• 2.5 Set 'Do not

permanently delete items
until the database has
been backed up' to 'True'
(Scored)
– Default Value: False

END

640
Security Hardening – Case Study – AD

• Active Directory Domain

• DISA, Release 8
– 27 January, 2017

641
Security Hardening – Case Study – AD

STIGVIEWER WINDOW

642
Security Hardening – Case Study – AD

• General Information:
– Rule Title :
Membership to the
Domain Admins
group must be
restricted to accounts
used only to manage
the Active Dir domain
and domain
controllers

643
Security Hardening – Case Study – AD

• General Information:
– STIG ID: AD.0002
– Severity: CAT I

644
Security Hardening – Case Study – AD

• Discussion:
– The Domain Admins
group is a highly
privileged group.
Personnel who are
system
administrators must
log on to Active
Directory systems
only using accounts
with the level of
authority necessary.
645
Security Hardening – Case Study – AD

• Discussion:
– …Only system
administrator
accounts used
exclusively to
manage an Active
Directory domain and
domain controllers
may be members of
the Domain Admins
group. A separation
of administrator…
646
Security Hardening – Case Study – AD

• Discussion:
– …responsibilities
helps mitigate the
risk of privilege
escalation resulting
from credential theft
attacks.

647
Security Hardening – Case Study – AD

• Check Content:
– Review the Domain
Admins group in
Active Directory
Users and
Computers. Each
Domain
Administrator must
have a separate
unique account
specifically for…

648
Security Hardening – Case Study – AD

• …Check Content:
– …managing the
Active Directory
domain and domain
controllers.
– If any account listed
in the Domain Admins
group is a member of
other administrator
groups including the

649
Security Hardening – Case Study – AD

• …Check Content:
– …Enterprise Admins
group, domain
member server
administrators
groups, or domain
workstation
administrators
groups, this is a
finding.

650
Security Hardening – Case Study – AD

• Fix Text:
– Create the necessary
documentation that
identifies the
members of the
Domain Admins
group. Ensure that
each member has a
separate unique
account that can only
be used to manage
the Active Directory...
651
Security Hardening – Case Study – AD

• Fix Text:
– …domain and
domain controllers.
Remove any Domain
Admin accounts from
other administrator
groups.

652
Security Hardening – Case Study – AD

• CCI (Control Correlation

Identifier):
– CCI-000366
The organization
implements the
security configuration
settings.
NIST SP 800-53 :: CM-
6b
END NIST SP 800-53A ::
CM-6.1 (iv)
NIST SP 800-53
Revision 4 :: CM-6 b 653
Case Study Security Hardening – IE Browser

• CIS Benchmarks case

study (MS Internet
Explorer 11)

654
Case Study Security Hardening – IE Browser

• January 12, 2014

• 178 pages PDF doc

655
Case Study Security Hardening – IE Browser

• 1.5 Configure 'Do not

allow users to enable or
disable add-ons' (Not
Scored)
• Profile applicability:
– Level 1

656
Case Study Security Hardening – IE Browser

• 1.5 Configure 'Do not

allow users to enable or
disable add-ons' (Not
Scored)
– Description: This
policy setting allows
you to manage
whether users have
the ability to allow or
deny add-ons
through Add-On
Manager.
657
Case Study Security Hardening – IE Browser

– …Description: If you
enable this policy
setting, users cannot
enable or disable
add-ons through
Add-On Manager.
The only exception
occurs if an add-on
has been specifically
entered into the
'Add-On List' policy
setting in such a way
as to allow…
658
Case Study Security Hardening – IE Browser

– …Description: users
to continue to
manage the add-on.
In this case, the user
can still manage the
add-on through the
Add-On Manager. If
you disable or do not
configure this policy
setting, the
appropriate controls
in the Add-On…
659
Case Study Security Hardening – IE Browser

– …Description:
Manager will be
available to the user.
Configure this setting
in a manner that is
consistent with
security and
operational
requirements of your
organization.

660
Case Study Security Hardening – IE Browser

– Rationale: Users
often choose to
install add-ons that
are not permitted by
an organization's
security policy. Such
add-ons can pose a
significant security
and privacy risk to
your network.

661
Case Study Security Hardening – IE Browser

– Audit: Navigate to the

UI Path articulated in
the Remediation
section and confirm it
is set as prescribed.
This group policy
setting is backed by
the following registry
location:

662
Case Study Security Hardening – IE Browser

– Audit:
HKEY_LOCAL_MACH
INE\Software\Polici
es\Microsoft\Intern
et
Explorer\Restriction
s\NoExtensionMana
gement

663
Case Study Security Hardening – IE Browser

– Remediation: To
establish the
recommended
configuration via
Group Policy, set the
following UI path to
Not Configured.

664
Case Study Security Hardening – IE Browser

– Remediation:
Computer
Configuration\Admini
strative
Templates\Windows
Components\Internet
Explorer\Do not
allow users to enable
or disable add-ons

665
Case Study Security Hardening – IE Browser

– Impact: When the Do

not allow users to
enable or disable add-
ons setting is
enabled, users will
not be able to enable
or disable their own
Internet Explorer
add-ons. If your
organization uses
add-ons,

666
Case Study Security Hardening – IE Browser

– Impact: …this
configuration may
affect their ability to
work.

667
Case Study Security Hardening – IE Browser

• 1.5 Configure 'Do not

allow users to enable or
disable add-ons' (Not
Scored)
– Default Value:
Disabled

668
Security Hardening – Case Study - Chrome

• Google Chrome
• DISA, Release 8
– 27 April, 2017

669
Security Hardening – Case Study - Chrome

STIGVIEWER WINDOW

670
Security Hardening – Case Study - Chrome

• General Information:
– Rule Title : Session
only based cookies
must be disabled.

671
Security Hardening – Case Study - Chrome

• General Information:
– Vuln ID: V-44799
– STIG ID: DTBC-0045
– Severity: CAT I

672
Security Hardening – Case Study - Chrome

• Discussion:
– Policy allows you to
set a list of URL
patterns that specify
sites which are
allowed to set
session only cookies.
If this policy is left not
set the global default
value will be used for
all sites…

673
Security Hardening – Case Study - Chrome

• Discussion:
– …either from the
'DefaultCookiesSettin
g' policy if it is set, or
the user's personal
configuration
otherwise. If the
'RestoreOnStartup'
policy is set to restore
URLs from…

674
Security Hardening – Case Study - Chrome

• Discussion:
– …previous sessions
this policy will not be
respected and
cookies will be stored
permanently for
those sites

675
Security Hardening – Case Study - Chrome

• Check Content:
– Universal method:
1. In the omnibox
(address bar) type
chrome://policy
2. If the policy
'CookiesSessionOnlyF
orUrls' exists, and has
any defined values,
this is a finding…

676
Security Hardening – Case Study - Chrome

• Check Content:
– …Windows method:
1. Start regedit
2. Navigate to
HKLM\Software\Polici
es\Google\Google
Chrome\Content
Settings\CookiesSessi
onOnlyForUrls
3. If this key exists
and has any defined
values, this is a
finding 677
Security Hardening – Case Study - Chrome

• Fix Text:
– Windows group
policy:
1. Open the group
policy editor tool with
gpedit.msc

678
Security Hardening – Case Study - Chrome

• Fix Text…:
– 2. Navigate to Policy
Path: Computer
Configuration\Admini
strative
Templates\Google\Go
ogle Chrome\Content
Settings
Policy Name: Allow
session only cookies
on these sites
Policy State: Disabled
Policy Value: N/A... 679
Security Hardening – Case Study - Chrome

• CCI (Control Correlation

Identifier):
– CCI-000166
The information
system protects
against an individual
(or process acting on
behalf of an
individual) falsely
denying having
performed…

680
Security Hardening – Case Study - Chrome

• CCI (Control Correlation

Identifier):
– …organization-
defined actions to be
covered by non-
repudiation.
NIST SP 800-53 :: AU-
10
NIST SP 800-53A ::
AU-10.1
NIST SP 800-53
Revision 4 :: AU-10
681
Case Study Security Hardening – Firefox

• CIS Benchmarks case

study (Mozilla Firefox)

682
Case Study Security Hardening – Firefox

• December 31, 2015

• 72 pages PDF doc

683
Case Study Security Hardening – Firefox

• 3.5 (L2) Enable IDN Show

Punycode (Scored)
• Profile applicability:
– Level 2

684
Case Study Security Hardening – Firefox

• 3.5 (L2) Enable IDN Show

Punycode (Scored)
– Description: This
feature determines
whether all
Internationalized
Domain Names
(IDNs) displayed in
the browser are
displayed as
Punycode or as
Unicode.
685
Case Study Security Hardening – Firefox

• 3.5 (L2) Enable IDN Show

Punycode (Scored)
– Rationale: IDNs
displayed in
Punycode are easier
to identify and
therefore help
mitigate the risk of
accessing spoofed
web pages.

686
Case Study Security Hardening – Firefox

• 3.5 (L2) Enable IDN Show

Punycode (Scored)
– Audit: Perform the
following procedure:
1. Type about:config in the
address bar
2. Type
network.IDN_show_punyc
ode in the filter
3. Ensure the preferences
listed are set to the values
specified below:
687
Case Study Security Hardening – Firefox

– …Audit:
network.IDN_show_
punycode=true

688
Case Study Security Hardening – Firefox

• 3.5 (L2) Enable IDN Show

Punycode (Scored)
– Remediation:
Perform the
following procedure:
1. Open the mozilla.cfg file
in the installation directory
with a text editor
2. Add the following lines
to mozilla.cfg:
lockPref("network.IDN_sh
ow_punycode", true);
689
Case Study Security Hardening – Firefox

• 3.5 (L2) Enable IDN Show

Punycode (Scored)
– Default Value: false

END

690
Security Hardening – Case Study - FW

• Firewall STIG
• DISA, Release 22
– 28 April, 2017

691
Security Hardening – Case Study - FW

STIGVIEWER WINDOW

692
Security Hardening – Case Study - Switch

• Layer 2 Switch STIG

• DISA, Release 20
– 28 Oct, 2016

693
Security Hardening – Case Study - Switch

STIGVIEWER WINDOW

694
Security Hardening – Case Study - Switch

• General Information:
– Rule Title : The IAO
to that all
switchports
configured using
MAC port security
will shutdown upon
receiving a frame
with a different layer
2 source address
than what has been
configured or learned
for port security 695
Security Hardening – Case Study - Switch

• General Information:
– Vuln ID: V-18565
– STIG ID: NET-NAC-032
– Severity: CAT III

696
Security Hardening – Case Study - Switch

• Discussion:
– The Port Security
feature remembers
the Ethernet MAC
address connected to
the switch port and
allows only that MAC
address to
communicate on that
port…

697
Security Hardening – Case Study - Switch

• …Discussion:
– …If any other MAC
address tries to
communicate
through the port,
port security will
disable the port.

698
Security Hardening – Case Study - Switch

• Check Content:
– A shutdown action
puts the interface
into the error-
disabled state
immediately and
sends an SNMP trap
notification if it
receives a frame with
a different layer 2
source address that
what has been…
699
Security Hardening – Case Study - Switch

• Check Content:
– …configured or
learned for port
security. The
following Catalyst IOS
interface command
will shutdown the
interface when such
an event occurs:
switchport port-
security violation
shutdown
700
Security Hardening – Case Study - Switch

• Fix Text:
– Configure the port to
shutdown when
insecure hosts are
connected to the wall
jack.

END

701
Case Study Security Hardening – Cisco IOS 15

• CIS Benchmarks case

study (Cisco IOS 15)
• For Cisco routers
running IOS 15M

702
Case Study Security Hardening – Cisco IOS 15

• June 30, 2015

• 151 pages PDF doc

703
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
• Profile applicability:
– Level 2

704
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Description: Enable
Open Shortest Path
First (OSPF) Message
Digest 5 (MD5)
authentication.

705
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Rationale: This is part
of the OSPF
authentication setup

706
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Audit: Verify the
appropriate md5 key
is defined on the
appropriate
interface(s)
hostname#sh run int
{interface}

707
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Remediation:
Configure the
appropriate
interface(s) for
Message Digest
authentication

708
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Remediation:…
hostname(config)#inte
rface {interface_name}
hostname(config-if)#ip
ospf message-digest-
key {ospf_md5_key-id}
md5 {ospf_md5_key}

709
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Impact:
Organizations should
plan and implement
enterprise security
policies that require
rigorous
authentication
methods for routing
protocols…
710
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Impact:
…Configuring the
proper interface(s)
for 'ip ospf message-
digest-key md5'
enforces these
policies by restricting
exchanges between
network devices.
711
Case Study Security Hardening – Cisco IOS 15

• 3.3.2.2 Set 'ip ospf

message-digest-key md5'
(Scored)
– Default Value: Not
set

END

712
Security Hardening – Case Study - WLAN

• WLAN Controller STIG

• DISA, Release 12
– 28 Oct, 2016

713
Security Hardening – Case Study - WLAN

STIGVIEWER WINDOW

714
Security Hardening – Case Study - WLAN

• General Information:
– Rule Title : WLAN
must use EAP-TLS

715
Security Hardening – Case Study - WLAN

• General Information:
– Vuln ID: V-3692
– STIG ID: WIR0115-01
– Severity: CAT II

716
Security Hardening – Case Study - WLAN

• Discussion:
– EAP-TLS provides
strong cryptographic
mutual
authentication and
key distribution
services not found in
other EAP methods,
and thus provides
significantly more
protection against
attacks than other…
717
Security Hardening – Case Study - WLAN

• …Discussion:
– …methods.
Additionally, EAP-TLS
supports two-factor
user authentication
on the WLAN client,
which provides
significantly more
protection than
methods that rely on
a password or
certificate alone.
718
Security Hardening – Case Study - WLAN

• …Discussion:
– …EAP-TLS also can
leverage DoD CAC in
its authentication
services, providing
additional security
and convenience.

719
Security Hardening – Case Study - WLAN

• Check Content:
– NOTE: If the
equipment is WPA2
certified, then it is
capable of supporting
this requirement.
– Review the WLAN
equipment
configuration to
check EAP-TLS is
actively used and no
other methods are
enabled. 720
Security Hardening – Case Study - WLAN

• Check Content:
– …Mark as a finding if
either EAP-TLS is not
used or if the WLAN
system allows users
to connect with other
methods.

721
Security Hardening – Case Study - WLAN

• Fix Text:
– Change the WLAN
configuration so it
supports EAP-TLS,
implementing
supporting PKI and
AAA infrastructure as
necessary.

722
Security Hardening – Case Study - WLAN

• Fix Text:
– If the WLAN
equipment is not
capable of supporting
EAP-TLS, procure new
equipment capable of
such support.

END

723
Security Hardening – Case Study – L3 Switch

• Infrastructure Layer 3
Switch STIG
• DISA, Release 22
– 28 April, 2017

724
Security Hardening – Case Study - L3 Switch

STIGVIEWER WINDOW

725
Security Hardening – Case Study - L3 Switch

• General Information:
– Rule Title : The
administrator must
ensure the that all
L2TPv3 sessions are
authenticated prior
to transporting
traffic.

726
Security Hardening – Case Study - L3 Switch

• General Information:
– Vuln ID: V-30744
– STIG ID: NET-TUNL-
034
– Severity: CAT II

727
Security Hardening – Case Study - L3 Switch

• Discussion:
– L2TPv3 sessions can
be used to
transport layer-2
protocols across an
IP backbone. These
protocols were
intended for link-
local scope only and
are therefore less
defended and not
as well-known.
728
Security Hardening – Case Study - L3 Switch

• …Discussion:
– …As stated in DoD
IPv6 IA Guidance for
MO3 (S4-C7-1), the
L2TP tunnels can also
carry IP packets that
are very difficult to
filter because of the
additional
encapsulation.

729
Security Hardening – Case Study - L3 Switch

• …Discussion:
– …Hence, it is
imperative that L2TP
sessions are
authenticated prior
to transporting traffic

730
Security Hardening – Case Study - L3 Switch

• Check Content:
– Review the router or
multi-layer switch
configuration and
determine if L2TPv3
has been configured
to provide transport
across an IP network.
If it has been
configured, verify
that the L2TPv3
session requires
authentication. 731
Security Hardening – Case Study - L3 Switch

• Check Content:
– …see detailed
explanation in Check
Content…(configurat
ions)

732
Security Hardening – Case Study - L3 Switch

• Fix Text:
– Configure L2TPv3 to
use authentication
for any peering
sessions.

END

733
Case Study Security Hardening – VMware

• CIS Benchmarks case

study (Vmware ESXi 5.5)

734
Case Study Security Hardening – VMware

• December 16, 2014

• 132 pages PDF doc

735
Case Study Security Hardening – VMware

• 5.1 Disable DCUI to

prevent local
administrative control
(Scored)
• Profile applicability:
– Level 2

736
Case Study Security Hardening – VMware

• 5.1 Disable DCUI to

prevent local
administrative control
(Scored)
– Description: The
Direct Console User
Interface (DCUI) can
be disabled to
prevent any local
administration from
the Host;

737
Case Study Security Hardening – VMware

• 5.1 Disable DCUI to

prevent local
administrative control
(Scored)
– Description: …Once
the DCUI is disabled
any administration of
the ESXi host will be
done through
vCenter.

738
Case Study Security Hardening – VMware

• Rationale:
– The DCUI allows for
low-level host
configuration such as
configuring IP
address, hostname
and root password as
well as diagnostic
capabilities such as
enabling the ESXi
shell, viewing log
files, restarting…
739
Case Study Security Hardening – VMware

• Rationale:
– …agents, and
resetting
configurations.
Actions performed
from the DCUI are
not tracked by
vCenter Server. Even
if Lockdown Mode is
enabled, users who
are members of the
DCUI.Access list can..
740
Case Study Security Hardening – VMware

• Rationale:
– …perform
administrative tasks
in the DCUI bypassing
RBAC and auditing
controls provided
through vCenter.
DCUI access can be
disabled. Disabling it
prevents all local
activity and thus
forces actions to be...
741
Case Study Security Hardening – VMware

• Rationale:
– …performed in
vCenter Server where
they can be centrally
audited and
monitored.

742
Case Study Security Hardening – VMware

• Audit: Perform the

following:
1. From the vSphere web
client select the host.
2. Select "Manage" ->
"Settings" -> "System" ->
"Security Profile".
3. Scroll down to
"Services".
4. Click "Edit...".
5. Select "Direct Console
UI".
743
Case Study Security Hardening – VMware

• Audit: …Perform the

following:
6. Verify the Startup Policy
is set to "Start and Stop
Manually“

744
Case Study Security Hardening – VMware

• Audit: …Additionally,
the following PowerCLI
command may be used:
– # List DCUI settings
for all hosts Get-
VMHost | Get-
VMHostService |
Where { $_.key -eq
"DCUI" }

745
Case Study Security Hardening – VMware

• Remediation: Perform
the following:
1. From the vSphere web
client select the host.
2. Select "Manage" ->
"Settings" -> "System" ->
"Security Profile".
3. Scroll down to
"Services".
4. Click "Edit...".
5. Select "Direct Console
UI".
746
Case Study Security Hardening – VMware

• Remediation:…
6. Click "Stop".
7. Change the Startup
Policy "Start and Stop
Manually".
8. Click "OK".

747
Case Study Security Hardening – VMware

• Impact:
– Disabling the DCUI
can create a potential
"lock out" situation
should the host
become isolated from
vCenter Server.
Recovering from a
"lock out" scenario
requires re-installing
ESXi. Consider leaving
DCUI enabled and…
748
Case Study Security Hardening – VMware

• Impact:
– …instead enable
lockdown mode and
limit the users
allowed to access the
DCUI using the
DCUI.Access list.

749
Case Study Security Hardening – VMware

• Default Value:
– The prescribed state
is not the default
state.

750
Case Study Security Hardening – VMware

• References:
– http://pubs.vmware.c
om/vsphere-
55/topic/com.vmware
.vsphere.security.doc/
GUID-6779F098-48FE-
4E22-B116-
A8353D19FF56.html

END

751
Case Study Security Hardening – Cloud AWS

• CIS Benchmarks case

study (Cloud – Amazon
Web Services
Foundations)

752
Case Study Security Hardening – Cloud AWS

• November 29, 2016

• 148 pages PDF doc

753
Case Study Security Hardening – Cloud AWS

• 1.14 Ensure hardware

MFA is enabled for the
"root" account (Scored)
• Profile applicability:
– Level 2

754
Case Study Security Hardening – Cloud AWS

• 1.14 Ensure hardware

MFA is enabled for the
"root" account (Scored)
– Description: The root
account is the most
privileged user in an
AWS account. MFA
adds an extra layer of
protection on top of
a user name and
password;

755
Case Study Security Hardening – Cloud AWS

• 1.14 Ensure hardware

MFA is enabled for the
"root" account (Scored)
– Description: …With
MFA enabled, when a
user signs in to an
AWS website, they
will be prompted for
their user name and
password as well as
for an
authentication…
756
Case Study Security Hardening – Cloud AWS

• 1.14 Ensure hardware

MFA is enabled for the
"root" account (Scored)
– Description: …code
from their AWS MFA
device. For Level 2, it
is recommended that
the root account be
protected with a
hardware MFA.

757
Case Study Security Hardening – Cloud AWS

• Rationale:
– A hardware MFA has
a smaller attack
surface than a virtual
MFA. For example, a
hardware MFA does
not suffer the attack
surface introduced by
the mobile
smartphone on which
a virtual MFA resides;

758
Case Study Security Hardening – Cloud AWS

• Rationale:
– …Note: Using
hardware MFA for
many, many AWS
accounts may create
a logistical device
management issue. If
this is the case,
consider
implementing this
Level 2
recommendation…
759
Case Study Security Hardening – Cloud AWS

• Rationale:
– …selectively to the
highest security AWS
accounts and the
Level 1
recommendation
applied to the
remaining accounts.

760
Case Study Security Hardening – Cloud AWS

• Audit: Perform the

following to determine
if the root account has a
hardware MFA setup:
1. Run the following
command to list all virtual
MFA devices:
aws iam list-virtual-mfa-
devices

761
Case Study Security Hardening – Cloud AWS

• Audit: …
2. If the output contains
one MFA with the
following Serial Number, it
means the MFA is virtual,
not hardware and the
account is not compliant
with this recommendation:
"SerialNumber":
"arn:aws:iam::<aws_accou
nt_number>:mfa/root-
account-mfa-device"
762
Case Study Security Hardening – Cloud AWS

• Remediation: [8 step
process…check the
benchmark]

763
Case Study Security Hardening – Cloud AWS

• References:
– http://docs.aws.amaz
on.com/IAM/latest/Us
erGuide/id_credential
s_mfa_enable_virtual
.html
– http://docs.aws.amaz
on.com/IAM/latest/Us
erGuide/id_credential
END s_mfa_enable_physic
al.html#enable-hw-
mfa-for-root
764
Security Hardening – Case Study - FW

• General Information:
– Rule Title : The device
must be configured
to protect the
network against
denial of service
attacks such as Ping
of Death, TCP SYN
floods, etc.

765
Security Hardening – Case Study - FW

• General Information:
– Vuln ID: V-3156
– STIG ID: NET0375
– Severity: CAT II

766
Security Hardening – Case Study - FW

• Discussion:
– A SYN-flood attack is
a denial-of-service
attack where the
attacker sends a huge
amount of please-
start-a-connection
packets and then
nothing else. This
causes the device
being attacked to be
overloaded with the..
767
Security Hardening – Case Study - FW

• …Discussion:
– …open sessions and
eventually crash.
– A ping sweep (also
known as an ICMP
sweep) is a basic
network scanning
technique used to
determine which of a
range of IP addresses
map to live hosts
(computers)
768
Security Hardening – Case Study - FW

• Check Content:
– Review the device
configurations to
determine if denial
of service attacks
guarded against.
– If the device is not
configured to
mitigate denial of
service attacks, this
is a finding.

769
Security Hardening – Case Study - FW

• Fix Text:
– If the firewall support
SYN-flood or ping
sweep protection
then enable these
features. If the
firewall does not
support these
features, enable the
security features on
the router to protect
the network from
these attacks. 770
Security Hardening – Case Study - FW

• CCI (Control Correlation

Identifier):
– (Misc info)

END

771
Software Security Fundamentals-SAMM-2

• Software Assurance
Maturity Model
(SAMM) developed by
OWASP
– A guide to building
security into
software
development
– 96 page PDF

http://www.opensamm.org/downl
oads/SAMM-1.0.pdf

772
Software Security Fundamentals-SAMM-2

773
Software Security Fundamentals-SAMM-2

774
Software Security Fundamentals-SAMM-2

• OWASP Software
Assurance Maturity
Model (SAMM)
Construction Phase:
– Security
Requirements
– Threat Assessment
– Secure Architecture

775
Software Security Fundamentals-SAMM-2

• Security
Requirements:
– Focused on
proactively specifying
the expected
behavior of software
with respect to
security

776
Software Security Fundamentals-SAMM-2

• Security
Requirements:
– …Through addition
of analysis activities
at the project level,
security requirements
are initially gathered
based on the high-
level business
purpose of the
software

777
Software Security Fundamentals-SAMM-2

778
Software Security Fundamentals-SAMM-2

• Threat Assessment:
– Centered on
identification and
understanding the
project-level risks
based on the
functionality of the
software being
developed and
characteristics of the
runtime environment

779
Software Security Fundamentals-SAMM-2

• Threat Assessment:
– …From details about
threats and likely
attacks against each
project, the
organization as a
whole operates more
effectively through
better decisions
about prioritization
of initiatives for
security
780
Software Security Fundamentals-SAMM-2

781
Software Security Fundamentals-SAMM-2

• Secure Architecture:
– Focused on proactive
steps for an
organization to
design and build
secure software by
default

782
Software Security Fundamentals-SAMM-2

• Secure Architecture:
– By enhancing the
software design
process with
reusable services
and components,
the overall security
risk from software
development can be
dramatically
reduced.
783
Software Security Fundamentals-SAMM-2

784
Software Security Fundamentals-SAMM-2

• SAMM is an excellent
model for software
security and we look
at the verification and
deployment phases
as part of testing and
validation (future
module)…

END

785
SECURITY HARDENING – SOFTWARE APPLICATIONS

• Two types of security

hardening:
– IT assets (systems,
network devices,
databases,
applications)
– Software developed
internally or by third
party

786
SECURITY HARDENING – SOFTWARE APPLICATIONS

• Typical enterprise
software:
– ERP (Oracle, SAP,
IBM, etc)
– Internally or 3rd
party developed
software in
ASP.NET, PHP,
Android/IOS, or
other platform

787
SECURITY HARDENING – SOFTWARE APPLICATIONS

8 STEP SECURITY HARDENING METHODOLOGY

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

788
SECURITY HARDENING – SOFTWARE APPLICATIONS

1. Research
Security Controls

5. Pen Test & 2. Apply Security

Accreditation Controls
(Move to PROD) (Hardening)

SOFTWARE SECURITY
WORKFLOW
3. Code Review &
4. Harden Server Automated
Environment Testing
(Validation)

789
SECURITY HARDENING–SOFTWARE APPLICATIONS

• Useful resources:
– www.OWASP.org
– www.cloudsecurityal
liance.org
– MS Technet
– OWASP Top 10
– OWASP Secure
Coding Practices
Quick Reference
Guide
– SAMM
790
SECURITY HARDENING–SOFTWARE APPLICATIONS

17 pages document
791
SECURITY HARDENING–SOFTWARE APPLICATIONS

Latest version is currently under review

792
SECURITY HARDENING–SOFTWARE APPLICATIONS

Latest version 20 SEPT ‘17

793
SECURITY HARDENING–SOFTWARE APPLICATIONS

• Conclusion
– Software security
hardening is a
challenging activity
– Build software
security program &
integrate with QA
– Domain specific
knowledge required
– Build capabilities and
END
process following
SAMM
794
CASE STUDY – ASP.NET SECURITY HARDENING

• OWASP ASP.NET
Cheat Sheet
• https://www.owasp.or
g/index.php/.NET_Sec
urity_Cheat_Sheet

795
CASE STUDY – ASP.NET SECURITY HARDENING

• .NET Framework
Guidance
• ASP.NET Web Forms
Guidance
• ASP.NET MVC
Framework Guidance

796
CASE STUDY – ASP.NET SECURITY HARDENING

• .NET Framework
Guidance
– Data access
– Encryption
– General guidelines

797
CASE STUDY – ASP.NET SECURITY HARDENING

.NET FRAMEWORK, DATA ACCESS GUIDANCE:

• Use Parameterized SQL commands for all data
access, without exception.
• Do not use SqlCommand with a string parameter
made up of a concatenated SQL String.
• Whitelist allowable values coming from the user.
Use enums, TryParse or lookup values to assure
that the data coming from the user is as
expected.

798
CASE STUDY – ASP.NET SECURITY HARDENING

• Apply the principle of least privilege when

setting up the Database User in your database
of choice. The database user should only be
able to access items that make sense for the
use case.
• Use of the Entity Framework is a very effective
SQL injection prevention mechanism. When
using SQL Server, prefer integrated
authentication over SQL authentication.
• Use Always Encrypted where possible for
sensitive data (SQL Server 2016 and SQL Azure)
799
CASE STUDY – ASP.NET SECURITY HARDENING

.NET FRAMEWORK, GENERAL GUIDANCE:

• Lock down the config file.
• Remove all aspects of configuration that are not
in use.
• Encrypt sensitive parts of the web.config using
aspnet_regiis -pe
• For Click Once applications the .Net Framework
should be upgraded to use version 4.6.2 to ensure
TLS 1.1/1.2 support.

800
CASE STUDY – ASP.NET SECURITY HARDENING

• ASP.NET Web Forms

Guidance
– HTTPS & some
general configuration
– HTTP validation &
encoding
– Forms authentication

801
CASE STUDY – ASP.NET SECURITY HARDENING

• ASP.NET MVC Guidance

– ASP.NET MVC
(Model-View-
Controller) is a
contemporary web
application
framework that uses
more standardized
HTTP communication
– Based on OWASP Top
END 10

802
CASE STUDY – PHP SECURITY HARDENING

• PHP Security Guidelines

• https://docs.php.earth/s
ecurity/intro/

803
CASE STUDY – PHP SECURITY HARDENING

804
CASE STUDY – PHP SECURITY HARDENING

5. Passwords
6. Uploading files
7. Session hijacking
8. Remote file inclusion
9. PHP configuration
– Error reporting
– Exposing PHP version
– Remote files
– Open_basedir
– Session settings
805
CASE STUDY – PHP SECURITY HARDENING

10. Use HTTPS

11. Things not listed

806
CASE STUDY – PHP SECURITY HARDENING

9. PHP Configuration
Always keep the installed
PHP version updated. You
can use versionscan to
check for possible
vulnerabilities of your PHP
version. Update open
source libraries and
applications, and keep
your web server well
maintained.

807
CASE STUDY – PHP SECURITY HARDENING

9. PHP Configuration…
Here are some of the
important settings
from php.ini that you
should check out. You can
also use iniscan to scan
your php.ini files for best
security practices.

808
CASE STUDY – PHP SECURITY HARDENING

9. Error Reporting
In your production
environment, you must
always turn off displaying
errors to the screen. If
errors occur in your
application and they are
visible to the outside
world, an attacker could
get valuable data for
attacking your application.

809
CASE STUDY – PHP SECURITY HARDENING

https://docs.php.earth/security/intro/#php-configuration

810
CASE STUDY – PHP SECURITY HARDENING

• PHP Security Guidelines

• https://docs.php.earth/s
ecurity/intro/

END

811
CASE STUDY – ASP.NET MVC SECURITY HARDENING

• ASP.NET MVC Security

Guidelines
• https://www.owasp.org/
index.php/.NET_Security
_Cheat_Sheet#ASP.NET
_MVC_Guidance

812
CASE STUDY – ASP.NET MVC SECURITY HARDENING

• ASP.NET MVC (Model-

View-Controller) is a
contemporary web
application framework
that uses more
standardized HTTP
communication than the
Web Forms postback
model.

813
CASE STUDY – ASP.NET MVC SECURITY HARDENING

• The OWASP Top 10 lists

the most prevalent and
dangerous threats to
web security in the
world today and is
reviewed every 3 years.
• After covering the top
10 it is generally
advisable to assess for
other threats or get a
professional Penetration
Test.
814
CASE STUDY – ASP.NET MVC SECURITY HARDENING

• Your approach to
securing your web
application should be to
start at the top threat A1
below and work down,
this will ensure that any
time spent on security
will be spent most
effectively and cover the
top threats first and
lesser threats
afterwards.
815
CASE STUDY – ASP.NET MVC SECURITY HARDENING

A.6 Sensitive data

exposure
• DO NOT: Store
encrypted passwords.
• DO: Use a strong hash to
store password
credentials. Use
PBKDF2, BCrypt or
SCrypt with at least
8000 iterations and a
strong key.

816
CASE STUDY – ASP.NET MVC SECURITY HARDENING

A.6 Sensitive data

exposure…
• DO: Enforce passwords
with a minimum
complexity that will
survive a dictionary
attack i.e. longer
passwords that use the
full character set
(numbers, symbols and
letters) to increase the
entropy.
817
CASE STUDY – ASP.NET MVC SECURITY HARDENING

A.6 Sensitive data

exposure…
• DO: Use a strong
encryption routine such
as AES-512 where
personally identifiable
data needs to be
restored to it's original
format. Do not encrypt
passwords. Protect
encryption keys more
than any other asset.
818
CASE STUDY – ASP.NET MVC SECURITY HARDENING

A.6 Sensitive data

exposure…
• Apply the following test:
Would you be happy
leaving the data on a
spreadsheet on a bus for
everyone to read.
Assume the attacker can
get direct access to your
database and protect it
accordingly.

819
CASE STUDY – ASP.NET MVC SECURITY HARDENING

A.6 Sensitive data

exposure…
• DO: Use TLS 1.2 for your
entire site. Get a free
certificate
from StartSSL.com or Le
tsEncrypt.org.
• DO NOT: Allow SSL, this
is now obsolete

820
CASE STUDY – ASP.NET MVC SECURITY HARDENING

A.6 Sensitive data

exposure…
• DO: Have a strong TLS
policy (see SSL Best
Practises), use TLS 1.2
wherever possible. Then
check the configuration
using SSL Test
• DO: Ensure headers are
not disclosing
information about your
application.
821
CASE STUDY – ASP.NET MVC SECURITY HARDENING

A.6 Sensitive data

exposure…
• See HttpHeaders.cs , Dio
nach StripHeaders or
disable via web.config:

END

822
Security Hardening – Case Study-SharePoint

• Sharepoint 2013 STIG

• DISA, Release 3
– 22 April, 2016
• Sharepoint server side
configurations

823
Security Hardening – Case Study-SharePoint

STIGVIEWER WINDOW

824
Security Hardening – Case Study-SharePoint

• General Information:
– Rule Title : For
environments
requiring an Internet-
facing capability, the
SharePoint
application server
upon which Central
Administration is
installed, must not be
installed in the DMZ.

825
Security Hardening – Case Study-SharePoint

• General Information:
– Vuln ID: V-59995
– STIG ID: SP13-00-
000155
– Severity: CAT II

826
Security Hardening – Case Study-SharePoint

• Discussion:
– Information flow
control regulates
where information is
allowed to travel
within an information
system and between
information systems
(as opposed to who is
allowed to access the
information) and
without explicit…
827
Security Hardening – Case Study-SharePoint

• …Discussion:
– …regard to
subsequent accesses
to the information.
– SharePoint installed
Central Administrator
is a powerful
management tool
used to administer
the farm. This server
should be installed on
a trusted network…
828
Security Hardening – Case Study-SharePoint

• …Discussion:
– …segment. This
server should also be
used to run services
rather than user-
oriented web
applications.

829
Security Hardening – Case Study-SharePoint

• Check Content:
– For environments
requiring an Internet-
facing capability,
ensure the
SharePoint Central
Administration
application server is
not in the DMZ.
– Inspect the logical
location of the server
farm web front end…
830
Security Hardening – Case Study-SharePoint

• Check Content:
– …servers.
– Verify the Central
Administration site is
not installed on a
server located in a
DMZ or other publicly
accessible segment
of the network.
– If Central
Administrator is…

831
Security Hardening – Case Study-SharePoint

• Check Content:
– installed on a publicly
facing SharePoint
server, this is a
finding.

832
Security Hardening – Case Study-SharePoint

• Fix Text:
– For environments
requiring an Internet-
facing capability,
remove the
SharePoint Central
Administration
application server
upon which Central
END
Administration is
installed from the
DMZ.
833
CASE STUDY – C APPLICATIONS SECURITY HARDENING

• Carnegie Mellon
Software Engineering
Institute
• https://wiki.sei.cmu.edu/
confluence/display/secc
ode/SEI+CERT+Coding+S
tandards
• https://wiki.sei.cmu.edu/
confluence/display/c/SEI
+CERT+C+Coding+Stand
ard

834
CASE STUDY – C APPLICATIONS SECURITY HARDENING

https://wiki.sei.cmu.edu/confluence/display/seccode/SE
I+CERT+Coding+Standards

835
CASE STUDY – C APPLICATIONS SECURITY HARDENING

• There are existing

compiler implementatio
ns that allow const-
qualified objects to be
modified without
generating a warning
message.

836
CASE STUDY – C APPLICATIONS SECURITY HARDENING

• Avoid casting
away const qualification
because doing so makes
it possible to modify
const-qualified objects
without issuing
diagnostics.

837
CASE STUDY – C APPLICATIONS SECURITY HARDENING

838
CASE STUDY – C APPLICATIONS SECURITY HARDENING

• The first assignment is

unsafe because it allows
the code that follows it
to attempt to change
the value of the const
object i.

839
CASE STUDY – C APPLICATIONS SECURITY HARDENING

840
CASE STUDY – C APPLICATIONS SECURITY HARDENING

• The compliant solution

depends on the intent of
the programmer. If the
intent is that the value
of i is modifiable, then it
should not be declared
as a constant, as in this
compliant solution:

841
CASE STUDY – C APPLICATIONS SECURITY HARDENING

• If the intent is that the

value of i is not meant to
change, then do not
write noncompliant
code that attempts to
modify it.
• Risk Assessment
• Automated detection
• Related vulnerabilities

END

842
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• Carnegie Mellon
Software Engineering
Institute
• https://wiki.sei.cmu.edu/
confluence/pages/viewp
age.action?pageId=8804
6682

843
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

844
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• Rule 01. Declarations

and Initialization (DCL)
• Rule 02. Expressions
(EXP)
• Rule 03. Integers (INT)
• Rule 04. Containers
(CTR)
• Rule 05. Characters and
Strings (STR)

845
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• Rule 06. Memory

Management (MEM)
• Rule 07. Input Output
(FIO)
• Rule 08. Exceptions and
Error Handling
(ERR)Page:
• Rule 09. Object Oriented
Programming (OOP)
• Rule 10. Concurrency
(CON)
846
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• Rule 10. Concurrency

(CON)
• CON50-CPP. Do not
destroy a mutex while it
is locked

847
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• Mutex objects are used

to protect shared data
from being concurrently
accessed. If a mutex
object is destroyed
while a thread is
blocked waiting for the
lock, critical
sections and shared
data are no longer
protected.

848
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• The C++
Standard, [thread.mutex
.class], paragraph 5
[ISO/IEC 14882-2014],
states the following:
• The behavior of a
program is undefined if
it destroys
a mutex object owned
by any thread or a
thread terminates while
owning a mutex object.
849
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

850
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• Non-Compliant Code
Example:
• This noncompliant code
example creates several
threads that each invoke
the do_work() function,
passing a unique number
as an ID.
• Unfortunately, this code
contains a race
condition, allowing the
mutex to be destroyed
851
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• …while it is still owned,

because start_threads()
may invoke the mutex's
destructor before all of
the threads have exited.

852
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

853
CASE STUDY – C++ APPLICATIONS SECURITY HARDENING

• Compliant Code
Example:
• This compliant solution
eliminates the race
condition by extending
the lifetime of the
mutex.

END

854
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• Carnegie Mellon
Software Engineering
Institute
• https://wiki.sei.cmu.edu/
confluence/display/java/
SEI+CERT+Oracle+Codin
g+Standard+for+Java

855
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

856
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

857
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• Rule 7
• ERR02-J. Prevent
exceptions while
logging data
• Exceptions that are
thrown while logging is
in progress can prevent
successful logging
unless special care is
taken. Failure to account
for exceptions during
the logging process can
858
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• …cause security
vulnerabilities, such as
allowing an attacker to
conceal critical security
exceptions by
preventing them from
being logged. Hence,
programs must ensure
that data logging
continues to operate
correctly even when
exceptions are thrown
859
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• …during the logging

process.

860
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

861
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• Non-compliant Code
Example:
• This noncompliant code
example writes a critical
security exception to
the standard error
stream:

862
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• Writing such exceptions

to the standard error
stream is inadequate for
logging purposes. First,
the standard error
stream may be
exhausted or closed,
preventing recording of
subsequent exceptions.
Second, the trust level
of the standard error
stream may be
863
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• …insufficient for
recording certain
security-critical
exceptions or errors
without leaking sensitive
information. If an I/O
error were to occur
while writing the
security exception,
the catch block would
throw
an IOException and the
864
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• …critical security
exception would be lost.
Finally, an attacker may
disguise the exception
so that it occurs with
several other innocuous
exceptions.

865
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

866
CASE STUDY – JAVA APPLICATIONS SECURITY HARDENING

• Compliant Solution:
• This compliant solution
uses java.util.logging.Lo
gger, the default logging
API provided by JDK 1.4
and later. Use of other
compliant logging
mechanisms, such as
log4j, is also permitted.
• Typically, only one
logger is required for
END the entire program.
867
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

• Carnegie Mellon
Software Engineering
Institute
• https://wiki.sei.cmu.edu/
confluence/display/perl/
SEI+CERT+Perl+Coding+
Standard

868
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

869
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

870
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

• Rule 1
• IDS30-PL. Exclude user
input from format
strings

871
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

• Never call any formatted

I/O function with a
format string containing
user input.
• An attacker who can
fully or partially control
the contents of a format
string can crash the Perl
interpreter or cause a
denial of service. She
can also modify values,
perhaps by using
872
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

• …the %n|| conversion

specifier, and use these
values to divert control
flow. Their capabilities
are not as strong as in C
[Seacord 2005];
nonetheless the danger
is sufficiently great that
the formatted output
functions {{sprintf() and
printf() should never be
passed unsanitized
format strings. 873
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

874
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

• This noncompliant code

example tries to
authenticate a user by
having the user supply a
password and granting
access only if the
password is correct.

875
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

876
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

• This compliant code

example avoids the use
of printf(),
since print() provides
sufficient functionality.

END

877
Case Study Security Hardening – Android

• CIS Benchmarks case

study (Google Android
7)

878
Case Study Security Hardening – Android

• January 24, 2017

• 87 pages PDF doc

879
Case Study Security Hardening – Android

• 1.15 Ensure Android

Device Manager is set to
Enabled (Not Scored)
• Profile applicability:
– Level 2

880
Case Study Security Hardening – Android

• 1.15 Ensure Android

Device Manager is set to
Enabled (Not Scored)
– Description: Setup
Android Device
Manager as a Device
Administrator.

881
Case Study Security Hardening – Android

• Rationale:
– If you lose your
Android device, you
could use Android
Device Manager to
find your device and
also ring, lock, or
erase your device
data remotely.

882
Case Study Security Hardening – Android

• Audit: Follow the below

steps to verify that
Android Device Manager
is enabled:
1. Tap the System Settings
Gear Icon.
2. Scroll to Personal.
3. Tap Security.
4. Scroll to Device
administration;

883
Case Study Security Hardening – Android

• Audit: …
5. Tap Device
administrators.
6. Verify that Android
Device Manager is
enabled.

884
Case Study Security Hardening – Android

• Remediation: Follow the

below steps to enable
Android Device
Manager:
1. Tap the System Settings
Gear Icon.
2. Scroll to Personal.
3. Tap Security.
4. Scroll to Device
administration;

885
Case Study Security Hardening – Android

• Remediation: …
5. Tap Device
administrators.
6. Tap Android Device
Manager.
7. Tap Activate this device
administrator.

886
Case Study Security Hardening – Android

• Impact:
– Google may track
your device location
anytime.

887
Case Study Security Hardening – Android

• Default Value:
– By default, Android
Device Manager is
not enabled.

888
Case Study Security Hardening – Android

• References:
– https://support.googl
e.com/pixelphone/an
swer/3265955

END

889
Case Study Security Hardening – Apple IOS 10

• CIS Benchmarks case

study (Apple IOS 10)

890
Case Study Security Hardening – Apple IOS 10

• May 15, 2017

• 138 pages PDF doc

891
Case Study Security Hardening – Apple IOS 10

• 3.2.1.12 (L2) Ensure 'Allow

modifying cellular data
app settings' is set to
'Disabled' (Not Scored)
• Profile applicability:
– Level 2 -
Institutionally Owned
Devices

892
Case Study Security Hardening – Apple IOS 10

• 3.2.1.12 (L2) Ensure 'Allow

modifying cellular data
app settings' is set to
'Disabled' (Not Scored)
– Description: This
recommendation
pertains to modifying
the use of cellular
data by apps.

893
Case Study Security Hardening – Apple IOS 10

• Rationale:
– It is appropriate for
an institution to have
remote locating and
erasure capability
with their devices.
Forcing cellular data
to remain active is a
means of supporting
this goal.

894
Case Study Security Hardening – Apple IOS 10

• Audit:
– From the
Configuration Profile:
1. Open Apple Configurator
2. Open the Configuration
Profile
3. In the left windowpane,
click on the Restrictions
tab.
4. In the right windowpane,
verify that under the tab…
Case Study Security Hardening – Apple IOS 10

• Audit: …
– …Functionality, that
the checkbox for
Allow modifying
cellular data app
settings is unchecked.

896
Case Study Security Hardening – Apple IOS 10

• Audit: …
…Or, from the device:
1. Tap Settings.
2. Tap General.
3. Tap Profile.
4. Tap <_Profile Name_>.
5. Tap Restrictions.
6. Confirm Changing app
cellular data usage not
allowed is displayed.

897
Case Study Security Hardening – Apple IOS 10

• Remediation:
1. Open Apple
Configurator.
2. Open the Configuration
Profile.
3. In the left windowpane,
click on the Restrictions
tab;

898
Case Study Security Hardening – Apple IOS 10

• Remediation…:
4. In the right
windowpane, under the
tab Functionality, uncheck
the checkbox for Allow
modifying cellular data
app settings.
5. Deploy the
Configuration Profile.

899
Case Study Security Hardening – Apple IOS 10

• CIS Controls:
– 5.1 Minimize And
Sparingly Use
Administrative
Privileges Minimize
administrative
privileges and only
use administrative
accounts when they
are required;

900
Case Study Security Hardening – Apple IOS 10

• CIS Controls:
– … Implement
focused auditing on
the use of
administrative
privileged functions
and monitor for
anomalous behavior

END

901
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

• http://www.ipcomms.ne
t/asteriskblog/1-11-steps-
to-secure-your-asterisk-
pbx

902
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

903
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

1. Physically secure your IP

PBX and network
hardware
• The first step to security
of your system

904
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

2. Never, Never, Never use

the default passwords on
any system. (Use Strong
Passwords)
• This will stop most of
the attacks as hackers
use weak passwords to
break in

905
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

3. Never use the same

Username and password
on your extensions
• “This is another VERY
common issue,
especially within the
Asterisk
community. Using
password 101 for
extension 101 is asking
for big trouble. DON’T
DO IT!”
906
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

3. Never use the same

4. Place your PBX behind a

Firewall
• Use VPNs for remote
access and limit to
specific IP addresses
• Allow access on ports
which are absolutely
necessary
• Disable anonymous
WAN requests (ICMP or
PING) access to your IP
PBX
908
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

5. Use the “permit=” and

“deny=” lines in sip.conf
• “Use the “permit=” and
“deny=” lines in sip.conf
to only allow a small
range of IP addresses
access to extension/user
in your sip.conf file. This
is true even if you decide
to allow inbound calls
from “anywhere”
(default),
909
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

5. …it won't let those

users reach any
authenticated elements!”

910
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

6. Keep inbound and

outbound routing separate
(asterisk)
• This is probably the
biggest cause and
source of toll fraud. By
keeping your inbound
call routing in a different
context than your
outbound routing, if an
intruder does happen
to…
911
CASE STUDY – ASTERISK VOIP SECURITY HARDENING

6. …make it into your

system, he can’t get back
out again.

END

912
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

• http://www.ipcomms.ne
t/asteriskblog/1-11-steps-
to-secure-your-asterisk-
pbx

913
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

914
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

7. Limit registration by
extensions to your local
subnet.
• Restrict the IP addresses
your extensions can
register onto the local
subnet. Asterisk PBXs
can use the ACL
(permit/deny) in
SIP.conf to block IP
addresses. This can fend
off brute force
registration attempts. 915
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

916
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

9. Make it harder for sip

scanners (Set
“alwaysauthreject=yes” )
• Set
“alwaysauthreject=yes”
in your sip configuration
file. What this does is
prevent Asterisk from
telling a sip scanner
which extensions are
valid by rejecting
authentication requests
917
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

• …on existing usernames

with the same rejection
details as with
nonexistent
usernames. If they can't
find you they can't hack
you!
• Another way to make it
hard for SIP scanners is
to install a SIP port
firewall. This will block

918
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

• …“scanning” of port
5060 and 5061 and can
disable the attempting
endpoint for a specific
time when it detects a
violation.

919
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

10. Limit and restrict

routing and phone number
dial plans
• Restrict calling to high-
cost calling destination
and don’t allow calling
to 0900 + Premium
numbers)

920
CASE STUDY – ASTERISK VOIP SECURITY HARDENING (2)

11. Audit your system

security regularly

END

921
Version Control For IT Assets

• Benefits of version
control
• Security implications

922
Version Control For IT Assets

• Benefits of version
control
– http://its.unl.edu/best
practices/version-
management

923
Version Control For IT Assets

• Benefits of version
control
– 1. Organized,
coordinated
management of
changes to software
assets by one or
many individuals,
some of whom may
be geographically
dispersed
http://its.unl.edu/bestpractice
s/version-management
924
Version Control For IT Assets

• Benefits of version
control
– 2. Organized,
coordinated
management of
changes to software
assets for emergency
hot-fixes, routine
maintenance,
upgrades…

http://its.unl.edu/bestpractice
s/version-management
925
Version Control For IT Assets
• Benefits of version
control
– 2. …& new features
with potentially
overlapping dev
timeframes (e.g.,
work on new features
occurs
simultaneously with
work on routine
maintenance and/or
hot-fixes)
http://its.unl.edu/bestpractices/version
-management
926
Version Control For IT Assets

• Benefits of version
control
– 3. An auditable
change history (e.g.,
what changed, when,
and by whom)

http://its.unl.edu/bestpractice
s/version-management

927
Version Control For IT Assets

• Benefits of version
control
– 4. A reliable master
copy of what assets
are currently in
production

http://its.unl.edu/bestpractice
s/version-management

928
Version Control For IT Assets

• Benefits of version
control
– 5. A reliable master
copy of assets from
which to build and/or
configure the
production
environment

http://its.unl.edu/bestpractice
s/version-management
929
Version Control For IT Assets

• Benefits of version
control
– 6. Reliable copies of
previous production
versions of assets

http://its.unl.edu/bestpractice
s/version-management

930
Version Control For IT Assets

• Benefits of version
control
– 7. Ability to see the
specific differences
between distinct
versions of a given
asset

http://its.unl.edu/bestpractice
s/version-management

931
Version Control For IT Assets

• Security controls:
– Access control
measures
– Privileged
management
– Backups

END

932
Version Control Best Practices

• Version control best

practices
– https://intland.com/blog/s
dlc/source-control-
management-best-
practices/

933
Version Control Best Practices

1. Starting with the basics,

choose a source control
system.
2. Keep your source code
in source control (but
not files generated /
compiled from it).
3. Ensure the working file
is from the latest
version of the source
file.
https://intland.com/blog/sdlc/source-
control-management-best-practices/
934
Version Control Best Practices

4. Only Check-out the file

being worked upon.
5. Check in immediately
after alterations are
completed.
6. Review every change
before committing,
utilize the diff function!
7. Commit often, – every
commit provides a
rollback position.
https://intland.com/blog/sdlc/source-
control-management-best-practices/
935
Version Control Best Practices

8. Make extensive, –
detailed notes in the
check-in comments
about why the changes
were made.
9. Developers must
commit their own
changes (only).

https://intland.com/blog/sdlc/source-
control-management-best-practices/
936
Version Control Best Practices

10. Use the ignore button

for files that should not
be committed,
consider adding pre-
commit filters to
prevent the wrong
kinds of file (such as
accidental check-in of
personal user settings
docs) from entering
the source control
https://intland.com/blog/sdlc/source-
control-management-best-practices/
937
Version Control Best Practices

11. Ensure external

dependencies are
added to the source
control, a common
problem where
everything works great
on the contributing
developers system but
not elsewhere because
they forgot to add
END dependent files to the
system.
https://intland.com/blog/sdlc/source-
control-management-best-practices/
938
SECURITY HARDENING - SECURE SOFTWARE IMAGES

• CIS 20 CRITICAL
SECURITY CONTROLS
• CONTROL 5, VERSION 7
• Secure Configuration
for Hardware and
Software on Mobile
Devices, Laptops,
Workstations and
Servers

939
SECURITY HARDENING - SECURE SOFTWARE IMAGES

5.1 Establish Secure

Configurations
• Maintain documented,
standard security
configuration standards
for all authorized
operating systems and
software.

940
SECURITY HARDENING - SECURE SOFTWARE IMAGES

5.2 Maintain Secure

Images
• Maintain secure images
or templates for all
systems in the
enterprise based on the
organization's approved
configuration standards.
Any new system
deployment or existing
system that becomes
compromised should be
941
SECURITY HARDENING - SECURE SOFTWARE IMAGES

5.2 Maintain Secure

Images
• …imaged using one of
those images or
templates.

942
SECURITY HARDENING - SECURE SOFTWARE IMAGES

5.3 Securely Store Master

Images
• Store the master images
and templates on
securely configured
servers, validated with
integrity monitoring
tools, to ensure that
only authorized changes
to the images are
possible.

943
SECURITY HARDENING - SECURE SOFTWARE IMAGES

5.4 Deploy System

Configuration
Management Tools
• Deploy system
configuration
management tools that
will automatically
enforce and redeploy
configuration settings to
systems at regularly
scheduled intervals.

944
SECURITY HARDENING - SECURE SOFTWARE IMAGES

5.5 Implement Automated

Configuration Monitoring
Systems
• Utilize a Security
Content Automation
Protocol (SCAP)
compliant configuration
monitoring system to
verify all security
configuration elements,
catalog approved
exceptions, and alert..
945
SECURITY HARDENING - SECURE SOFTWARE IMAGES

5.5 Implement Automated

Configuration Monitoring
Systems
• …when unauthorized
changes occur.

END

946
SECURITY HARDENING – MANUAL & AUTOMATED WORK

• Manual & Automated

mechanisms for security
hardening & validation

947
CASE STUDY – PERL APPLICATIONS SECURITY HARDENING

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

948
SECURITY HARDENING – MANUAL & AUTOMATED WORK

• Step 1: Scan an IT asset

using Qualys
compliance scan,
NESSUS compliance
scan, or CIS CAT PRO
Tool
• Acquire report of failed
controls

949
SECURITY HARDENING – MANUAL & AUTOMATED WORK

• Step 2: Apply the failed

controls using AD (for
Windows) or manually
for other systems &
devices

950
SECURITY HARDENING – MANUAL & AUTOMATED WORK

• Step 3: Use the

automated feature of
Qualys compliance scan,
Nessus compliance scan
or CIS CAT Pro Tool to
verify that the applied
controls are in place
• Compare the ‘before’
and ‘after’ report

951
SECURITY HARDENING – MANUAL & AUTOMATED WORK

• Step 4: manually verify

if any discrepancy is
found (control should
be in place but not
being validated by the
tool)

952
SECURITY HARDENING – MANUAL & AUTOMATED WORK

• Step 5: For any system

or device for which the
Qualys compliance scan,
Nessus compliance scan,
or CIS CAT Pro Tool scan
cannot be performed,
conduct the validation
of control
implementation
manually
SECURITY HARDENING – MANUAL & AUTOMATED WORK

• Use sampling where

necessary during
manual validation work
to reduce workload
• For example, 15-20 % of
assets may be checked
at random
• Or 15-20% of controls
may be checked on an
asset
END

954
QUALYS DEMO – SECURITY HARDENING

• Lets have a look at how

Qualys can aid in the
security hardening
process

955
QUALYS DEMO – SECURITY HARDENING

QUALYS WEBSITE – FREE TRIAL

956
QUALYS DEMO – SECURITY HARDENING

QUALYS GUARD – HOME SCREEN

957
QUALYS DEMO – SECURITY HARDENING

POLICY COMPLIANCE – HOME SCREEN

958
QUALYS DEMO – SECURITY HARDENING

POLICY COMPLIANCE – 5 STEPS

959
QUALYS DEMO – SECURITY HARDENING

HELP OPTIONS
960
QUALYS DEMO – SECURITY HARDENING

ONLINE HELP – POLICY COMPLIANCE

961
QUALYS DEMO – SECURITY HARDENING

RESOURCES

962
QUALYS DEMO – SECURITY HARDENING

QUALYS WEBSITE - TRAINING

963
QUALYS DEMO – SECURITY HARDENING

TRAINING VIDEOS - VIMEO

964
QUALYS DEMO – SECURITY HARDENING

• Qualys is an excellent
tool with detailed online
help, training, and
resources to aid the new
user

END

965
QUALYS DEMO – SECURITY HARDENING II

• Lets have a detailed look

at Qualys interface for
Policy Compliance

966
QUALYS DEMO – SECURITY HARDENING II

1. ADD IP ADDRESSES TO SCAN

967
QUALYS DEMO – SECURITY HARDENING

1. ADD IP ADDRESSES TO SCAN

968
QUALYS DEMO – SECURITY HARDENING

2. CONFIGURE SCAN SETTINGS

969
QUALYS DEMO – SECURITY HARDENING

2. CONFIGURE SCAN SETTINGS

970
QUALYS DEMO – SECURITY HARDENING

NEW COMPLIANCE PROFILE

971
QUALYS DEMO – SECURITY HARDENING

‘CIS SCAN TEST PROFILE’ CREATED

972
QUALYS DEMO – SECURITY HARDENING

3. CONFIGURE AUTHENTICATION

973
QUALYS DEMO – SECURITY HARDENING

974
QUALYS DEMO – SECURITY HARDENING

3. CONFIGURE AUTHENTICATION

975
QUALYS DEMO – SECURITY HARDENING

3. CONFIGURE AUTHENTICATION

976
QUALYS DEMO – SECURITY HARDENING

3. CONFIGURE AUTHENTICATION
COMPLIANCE LIBRARY: CIS RED HAT ENT. LINUX 7
977
QUALYS DEMO – SECURITY HARDENING

POLICY EDITOR

978
QUALYS DEMO – SECURITY HARDENING

POLICY EDITOR

LAUNCH COMPLIANCE SCAN

979
QUALYS DEMO – SECURITY HARDENING II

• The scan features may

also be adjusted from
the main Qualys
dashboard

END
980
SECURITY HARDENING – LIFECYCLE

• Security Hardening
Lifecycle: Maintaining
An Integrated & Current
Program

981
SECURITY HARDENING – LIFECYCLE

1. Harden IT Asset

5. Pursue Controls
2. Periodic
That May Require
Validation
Additional Working

3. Seek Updates
4. Implement
On Hardening
Additional Controls
Benchmarks

982
SECURITY HARDENING – LIFECYCLE

1: Harden IT Asset
Pursue the 8 step
hardening methodology

983
SECURITY HARDENING – LIFECYCLE

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

984
SECURITY HARDENING – LIFECYCLE

2: Periodic Validation
Check periodically (every
quarter) for changes to the
established standard or
baseline

985
SECURITY HARDENING – LIFECYCLE

3: Seek Updated On
Hardening Benchmarks
• Benchmarks are
periodically updated
• Subscribe to feeds from
CIS, DISA, NIST NCP
(National Checklist
Program) Repository

986
SECURITY HARDENING – LIFECYCLE

4: Implement Additional
Controls
• Update the security
controls by studying the
changes

987
SECURITY HARDENING – LIFECYCLE

5: Pursue & Implement

Controls That May Require
Additional Working
• Some controls may have
caused a crash or
malfunction
• Some controls may have
not been possible due to
dependencies or missing
utilities
END • Enhance the % of
implemented controls
988
Hardening When CIS/DISA STIG Not Available

• What type of IT assets

do not have a CIS/DISA
STIG ?
– Software applications
(ASP.NET, PHP,
Other)
– Other applications
such as asterisk
deployments

989
Hardening When CIS/DISA STIG Not Available

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

990
Hardening When CIS/DISA STIG Not Available

• Step 2: Research:
– Look up google
– Look for case studies
and whitepapers

991
Hardening When CIS/DISA STIG Not Available

• Other considerations:
– Implement on test
setup
– Test the controls
– Security testing tools
– Perform third-party
security testing
(penetration testing)
– Vendor best-practices
for application
security hardening
992
Hardening When CIS/DISA STIG Not Available

1. Identify critical 6. Validation of 7. Change

assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

993
Hardening When CIS/DISA STIG Not Available

• With efforts and by

following the 8-step
methodology, all types
of assets can be
hardened

END

994
QUALYS POLICY LIBRARIES

• Lets have a detailed look

at Qualys built-in
libraries for creating
scanning policies
• CIS
• QUALYS
• MANDATE
• DISA
• VENDOR

995
QUALYS POLICY LIBRARIES

EXPLORE THE CONTROLS LIBRARY

996
QUALYS POLICY LIBRARIES

CREATE NEW POLICY > IMPORT FROM LIBRARY

997
QUALYS POLICY LIBRARIES

CREATE A NEW POLICY

998
QUALYS POLICY LIBRARIES

CIS > RED HAT ENT. LINUX 7.X

999
QUALYS POLICY LIBRARIES

POLICIES DASHBOARD
1000
QUALYS POLICY LIBRARIES

DISA STIG
1001
QUALYS POLICY LIBRARIES

QUALYS SAP ADAPTIVE SERVER ENT 16

1002
QUALYS POLICY LIBRARIES

VENDOR POLICIES
1003
QUALYS POLICY LIBRARIES

• Qualys has a vast

number of options for
Compliance Scans, and
these should be fully
explored through the
Qualys trial

END
1004
Security Hardening For Outsourced IT Assets

• IT Outsourcing
• Mechanism to harden
outsourced IT assets
• Important
considerations

1005
Security Hardening For Outsourced IT Assets

• IT Outsourcing
examples:
– Call centers
– Hosted servers
– Software
development
– Workstation helpdesk
functions
– Network services
– Any other
arrangement
1006
Security Hardening For Outsourced IT Assets

• Mechanism:
– Information Security
Policy
– Vendor contract
(right-to-audit clause)
– Set up security
project with security
project manager
– Periodic reviews
– Penalties for non-
compliance
1007
Security Hardening For Outsourced IT Assets

• Important
considerations:
– Enter security
requirements into
RFP
– Part of vendor
evaluation
– Proceed with
contract including
InfoSec clauses
– Awareness training

1008
Security Hardening For Outsourced IT Assets

• Security evaluations:
– Include outsourced
scope in periodic
internal audit
– Ask for third-party
security review
– Vulnerability
assessment and
penetration test (if
END applicable)
– Spot security checks

1009
What is Vulnerability Management ?

• What is a vulnerability ?
– Vulnerability is a
cyber-security term
that refers to a flaw
in a system that can
leave it open to
attack. A vulnerability
may also refer to any
type of weakness in a
computer system
itself, in a set of
procedures…
1010
What is Vulnerability Management ?

• What is a vulnerability ?
– …or in anything that
leaves information
security exposed to a
threat.

https://www.techopedia.com/definition/13
484/vulnerability

1011
What is Vulnerability Management ?

• How do you fix

vulnerabilities ?
– Computer users and
network personnel
can protect computer
systems from
vulnerabilities by
keeping software
security patches up
to date. These
patches can remedy
flaws or security
holes that were… 1012
What is Vulnerability Management ?

• How do you fix

vulnerabilities ?
– …found in the initial
release. Computer
and network
personnel should also
stay informed about
current vulnerabilities
in the software they
use and seek out
ways to protect
against them.
https://www.techopedia.com/definition/13
484/vulnerability 1013
What is Vulnerability Management ?

• What is vulnerability
management ?
– Vulnerability
management is the
"cyclical practice of
identifying,
classifying,
remediating, and
mitigating vulnerabiliti
es"
Foreman, P: Vulnerability Management,
page 1.

1014
What is Vulnerability Management ?

• What is vulnerability
assessment (VA) ?
– A process that
defines, identifies,
and classifies the
security holes
(vulnerabilities) in a
computer, network,
or communications
infrastructure.

http://searchmidmarketsecurity.techtarget
.com/definition/vulnerability-analysis
1015
What is Vulnerability Management ?

• What are some of the

common vulnerability
scanners ?
– OpenVAS
– Nessus
– Qualys
– Rapid7

END

1016
What Are The Steps In VM Lifecycle ?

VM Steps:
1. Analyze assets
2. Prepare scanner
3. Run vulnerability scan
4. Assess results
5. Patch systems
6. Verify (re-scan)

1017
What Are The Steps In VM Lifecycle ?

1. Analyze Assets
– Examine assets to
scan
– Gather details on IP
subnet
– Look at potential
issues with network
traffic
– Inform asset owners
and relevant
department heads

1018
What Are The Steps In VM Lifecycle ?

2. Prepare Scanner
– Set scanner
parameters
– Select type of scan
– Look at credentials-
based scan
– Explore and research
plug-ins
– Do a test run
– Coordinate with asset
owner
1019
What Are The Steps In VM Lifecycle ?

3. Run Vulnerability
Scanner
– Run the automated
scan
– Monitor network
performance
degradation issues
– Generate report

1020
What Are The Steps In VM Lifecycle ?

4. Assess Results:
– Evaluate results
– Prioritize according
to the risk level
– Collate results for
asset owners
– Communicate the
results and
remediation timelines

1021
What Are The Steps In VM Lifecycle ?

5. Patch Systems:
– Research
vulnerabilities
– Evaluate fixes and
remediation method
– Test the patches and
fixes
– Apply patches/fixes
– Monitor results

1022
What Are The Steps In VM Lifecycle ?

6. Verify (Re-scan)
– Re-scan to confirm
that the vulnerability
scanner gives a
positive report
– Collate results of
vulnerability scan
– Report findings
END

1023
Why Is Software Insecure ?

• Software is everywhere
in IT
• Software is being
developed in a manner
which leaves many
defects which may be
exploited by attackers
• Race to meet software
deadlines with little
emphasis on security
• Result: insecure
software
1024
Why Is Software Insecure ?

• Gary McGraw, “trinity

of trouble” for
software security:
– Connectivity; ever-
increasing computer
connectivity & to
the internet
enhances exposure
to attacks
https://newrepublic.com/article/115145/us-
cybersecurity-why-software-so-insecure

1025
Why Is Software Insecure ?

• Extensibility: “Second,
an extensible system is
one that supports
updates and extensions
and thereby allows
functionality to evolve
incrementally.
• Web browsers, for
example, support plug-
ins that enable users to
install extensions for
new document types.
1026
Why Is Software Insecure ?

• Extensibility:
…Extensibility is
attractive for purposes
of increasing
functionality, but also
makes it difficult to keep
the constantly-adapting
system free of software
vulnerabilities.”
https://newrepublic.com/article/115145/us-
cybersecurity-why-software-so-insecure

1027
Why Is Software Insecure ?

• Complexity: Software
systems are growing
exponentially in size and
complexity, which
makes vulnerabilities
unavoidable.

https://newrepublic.com/article/115145/us-
cybersecurity-why-software-so-insecure
1028
Why Is Software Insecure ?

• Carnegie Mellon
University's CyLab
Sustainable Computing
Consortium estimates
that commercial
software contains 20 to
30 bugs for every 1,000
lines of code…

https://newrepublic.com/article/115145/us-
cybersecurity-why-software-so-insecure
1029
Why Is Software Insecure ?

• —and Windows XP
contains at least 40
million lines of code
• That’s 1 million bugs in
Windows XP !

https://newrepublic.com/article/1151
45/us-cybersecurity-why-software-so-
insecure

1030
Why Is Software Insecure ?
• Monoculture: Dan
Greer: “The security
situation is
deteriorating, and that
deterioration
compounds when nearly
all computers in the
hands of end users rely
on a single operating
system subject to the
same vulnerabilities the
END
world over.”
https://newrepublic.com/article/115145/u
s-cybersecurity-why-software-so-insecure
1031
Why Is A VM Program Required ?

• What is a patch ?
– “A patch is a piece of
software designed to
update a computer
program or its
supporting data, to
fix or improve it. This
includes
fixing security
vulnerabilities and
other bugs”
https://en.wikipedia.org/wiki/Patch_(
computing)
1032
Why Is A VM Program Required ?

• What is patch
management ?
– Patch management is
an area of systems
management that
involves acquiring,
testing, and installing
multiple patches
(code changes) to an
administered
computer system.
http://searchenterprisedesktop.techtarget.
com/definition/patch-management
1033
Why Is A VM Program Required ?

• Patch management
tasks :
– Maintaining current
knowledge of
available patches,
deciding what
patches are
appropriate for
particular systems,
ensuring that patches
are installed…
http://searchenterprisedesktop.techtarget.
com/definition/patch-management
1034
Why Is A VM Program Required ?

• Patch management
tasks:
– properly, testing
systems after
installation, and
documenting all
associated
procedures, such as
specific configs
required.

http://searchenterprisedesktop.techtarget.com/
definition/patch-management
1035
Why Is A VM Program Required ?

Risk of not patching:

• By not applying a patch
you might be leaving the
door open for
a malware attack
• Malware exploits flaws
in a system in order to
do its work. In addition,
the timeframe between
an exploit and when a
patch is released is
getting shorter
1036
Why Is A VM Program Required ?

Risk of not patching…:

• Defects in clients like
web browsers, email
programs, image
viewers, instant
messaging software,
and media players may
allow malicious
websites, etc. to infect
or compromise your
computer with no action
on your part other than
1037
Why Is A VM Program Required ?

Risk of not patching…:

• …viewing or listening to
the website, message,
or media
https://ist.mit.edu/security/patches

1038
Why Is A VM Program Required ?

A VM program addresses
timely management of
patching to ensure that
vulnerabilities are not
present for hackers to
exploit…

END

1039

Cs205 PPT Slides
100% (1)
Cs205 PPT Slides
2,494 pages
RWS Vendor Security Awareness Training 2023
No ratings yet
RWS Vendor Security Awareness Training 2023
15 pages
Lab - Injection Attacks: Objectives
0% (1)
Lab - Injection Attacks: Objectives
6 pages
VU23217 8102753 Assessment 02
No ratings yet
VU23217 8102753 Assessment 02
15 pages
Ptu Colleges
No ratings yet
Ptu Colleges
72 pages
Issaf0 2 1
No ratings yet
Issaf0 2 1
1,264 pages
Airline Reservation System Project Report
100% (1)
Airline Reservation System Project Report
66 pages
VMW 10q3 White Paper Cloud Director Security PDF
No ratings yet
VMW 10q3 White Paper Cloud Director Security PDF
37 pages
QSA Main Student Study Guide 4.12
100% (1)
QSA Main Student Study Guide 4.12
21 pages
My Activities in Module 2
100% (6)
My Activities in Module 2
7 pages
SAP Company Case Study Ford-Final
No ratings yet
SAP Company Case Study Ford-Final
3 pages
Integration Manager-User Guide
No ratings yet
Integration Manager-User Guide
74 pages
CS8461-OS Lab Manual
No ratings yet
CS8461-OS Lab Manual
137 pages
Edited1 1-1
No ratings yet
Edited1 1-1
84 pages
CS205 Handouts by CS World
No ratings yet
CS205 Handouts by CS World
2,529 pages
Chapter 2 Updated
No ratings yet
Chapter 2 Updated
54 pages
Diagnostic Questions: Security and Compliance
No ratings yet
Diagnostic Questions: Security and Compliance
9 pages
Finding The Tool
No ratings yet
Finding The Tool
11 pages
70 762 PDF
No ratings yet
70 762 PDF
20 pages
CISM - Delegate Pack
No ratings yet
CISM - Delegate Pack
430 pages
Report Prepared Especially For:: Razan Essa February 6, 2021
0% (1)
Report Prepared Especially For:: Razan Essa February 6, 2021
13 pages
Dsci Advisory: Work From Home - Cyber Security Best Practices
100% (2)
Dsci Advisory: Work From Home - Cyber Security Best Practices
10 pages
Question Bank - Unit V
100% (1)
Question Bank - Unit V
2 pages
Axis Net Banking & E Statement
No ratings yet
Axis Net Banking & E Statement
19 pages
Smurf Attacks
No ratings yet
Smurf Attacks
4 pages
DLP Guide PDF
100% (1)
DLP Guide PDF
18 pages
OBL RFP For PCI DSS
No ratings yet
OBL RFP For PCI DSS
37 pages
5 Analyticsandreporting
No ratings yet
5 Analyticsandreporting
12 pages
Sql-Lab 3 DML PDF
No ratings yet
Sql-Lab 3 DML PDF
4 pages
Csol 530 02 sp21
No ratings yet
Csol 530 02 sp21
16 pages
CyBOk Mapping Reference v1.1
No ratings yet
CyBOk Mapping Reference v1.1
39 pages
Wesco Case Study
No ratings yet
Wesco Case Study
5 pages
Cybrary Training
No ratings yet
Cybrary Training
113 pages
#7 Software Metrics
No ratings yet
#7 Software Metrics
3 pages
Acknowledgement (Final)
No ratings yet
Acknowledgement (Final)
6 pages
IBM Q Radar
No ratings yet
IBM Q Radar
247 pages
Kiwiqa Services: Web Application Vapt Report
No ratings yet
Kiwiqa Services: Web Application Vapt Report
25 pages
Passing Unix Linux Audit With Power Broker
100% (2)
Passing Unix Linux Audit With Power Broker
11 pages
Unit 2
No ratings yet
Unit 2
8 pages
National Cyber Security Policy 2021 WWW - Csstimes.pk
No ratings yet
National Cyber Security Policy 2021 WWW - Csstimes.pk
23 pages
CISM D1 Questions
No ratings yet
CISM D1 Questions
7 pages
Data Collection
No ratings yet
Data Collection
44 pages
Vector Database
No ratings yet
Vector Database
3 pages
0 - Introduction To Cybersecurity Risk Management
No ratings yet
0 - Introduction To Cybersecurity Risk Management
9 pages
State of Cyber Threat Intelligence Report 2023
No ratings yet
State of Cyber Threat Intelligence Report 2023
16 pages
certMILS D2.3 Security Architecture Template PU M16
No ratings yet
certMILS D2.3 Security Architecture Template PU M16
24 pages
Next Gen and Traditional FW Comparison
No ratings yet
Next Gen and Traditional FW Comparison
2 pages
Production Control Group Copy The Source Program To Production Libraries
No ratings yet
Production Control Group Copy The Source Program To Production Libraries
7 pages
Jhon Hue Investment Bank Resume'
No ratings yet
Jhon Hue Investment Bank Resume'
1 page
GRC Analyst Resume - Hire IT People - We Get IT Done
100% (1)
GRC Analyst Resume - Hire IT People - We Get IT Done
7 pages
662 Suntec Profile
No ratings yet
662 Suntec Profile
2 pages
So You Want To Be A CISO Step1
No ratings yet
So You Want To Be A CISO Step1
3 pages
NIST CSF Auditor Checklist: Function Category Identify (Id)
No ratings yet
NIST CSF Auditor Checklist: Function Category Identify (Id)
21 pages
CISO 2023 Challenges
No ratings yet
CISO 2023 Challenges
22 pages
Cloudera Exam CCA175 CCA Spark and Hadoo
No ratings yet
Cloudera Exam CCA175 CCA Spark and Hadoo
17 pages
Isaca Code of Professional Ethics Is Auditing Standards Is Auditing Guidelines Tools and Techniques
No ratings yet
Isaca Code of Professional Ethics Is Auditing Standards Is Auditing Guidelines Tools and Techniques
20 pages
Effec Ve Vulnerability Management: 10 Steps For Achieving
No ratings yet
Effec Ve Vulnerability Management: 10 Steps For Achieving
23 pages
ISO27k FAQ PDF
No ratings yet
ISO27k FAQ PDF
69 pages
TCLG Information Security ISO Standards Feb 2015 PDF
No ratings yet
TCLG Information Security ISO Standards Feb 2015 PDF
28 pages
Threats To Data
No ratings yet
Threats To Data
11 pages
CISSP Domain 2 Asset Security Detailed
No ratings yet
CISSP Domain 2 Asset Security Detailed
32 pages
Centralized System Characteristics
No ratings yet
Centralized System Characteristics
12 pages
Cyber Secure Pakistan 2019 Report
No ratings yet
Cyber Secure Pakistan 2019 Report
23 pages
InfoSec Staffing
No ratings yet
InfoSec Staffing
14 pages
Assignment 5 - Crypto and Blockchain
No ratings yet
Assignment 5 - Crypto and Blockchain
4 pages
ISO 17799 Audit Sample
No ratings yet
ISO 17799 Audit Sample
17 pages
Security Qa Checklist
100% (1)
Security Qa Checklist
4 pages
Fisma Assignement (Template)
No ratings yet
Fisma Assignement (Template)
3 pages
Secure Software Development
No ratings yet
Secure Software Development
5 pages
Senior iOS Developer Swift Que-Ans (2025 Edition)
No ratings yet
Senior iOS Developer Swift Que-Ans (2025 Edition)
36 pages
NESA Compliance Service - Paladion Networks - UAE
No ratings yet
NESA Compliance Service - Paladion Networks - UAE
8 pages
ISO27001 Global Report 2016
No ratings yet
ISO27001 Global Report 2016
26 pages
CSX Fundamentals Brochure With Pricing Bro Eng 0816
No ratings yet
CSX Fundamentals Brochure With Pricing Bro Eng 0816
2 pages
Computer Report
No ratings yet
Computer Report
4 pages
Information Security Delivery - Scenario 7
No ratings yet
Information Security Delivery - Scenario 7
21 pages
Information Security
No ratings yet
Information Security
20 pages
Traffic Light Protocol
No ratings yet
Traffic Light Protocol
1 page
Information Security Transformation-Nahil Mahmood-Lecture 6
No ratings yet
Information Security Transformation-Nahil Mahmood-Lecture 6
6 pages
Not To Be Confused With,, or - For More Information About Wikipedia-Related Phishing Attempts, See
No ratings yet
Not To Be Confused With,, or - For More Information About Wikipedia-Related Phishing Attempts, See
14 pages
Phishing Awareness
No ratings yet
Phishing Awareness
15 pages
Data Privacy and Security-Rev1
No ratings yet
Data Privacy and Security-Rev1
15 pages
RSA Archer Policy Management: Build Your Governance, Risk and Compliance Program On A Firm Foundation
No ratings yet
RSA Archer Policy Management: Build Your Governance, Risk and Compliance Program On A Firm Foundation
2 pages
DataGuard ISO27001 Implementation Roadmap UK
No ratings yet
DataGuard ISO27001 Implementation Roadmap UK
10 pages
Securing Web Portals
No ratings yet
Securing Web Portals
12 pages
CISM - Certified Information Security Manager CISM Topic 4
No ratings yet
CISM - Certified Information Security Manager CISM Topic 4
46 pages
Cloud Service Questionnaire
No ratings yet
Cloud Service Questionnaire
2 pages
Aligning PCI DSS With ISO 27001 - ISMS - Online
No ratings yet
Aligning PCI DSS With ISO 27001 - ISMS - Online
14 pages
Overview of ISO 27K
No ratings yet
Overview of ISO 27K
8 pages
Info Security Policy
No ratings yet
Info Security Policy
21 pages
(2025) NIST Privacy Framework 1.1
No ratings yet
(2025) NIST Privacy Framework 1.1
51 pages