Transcript Who Am I?

(C) MARCHANY 2011
1
WHO AM I?
Been working in IT Security since 1992, working in IT for 38 years
CISO at VA Tech
•
40K node network. dual stack IPV4, IPV6 network since 2006
•
Multi-national – Main campus (Blacksburg, VA), Remote campuses (Arlington, Norfolk, VA),
Swiss, Indian, Egyptian campuses
My IT Security Philosophy
All Security is Local
Empower the local IT staff
The Business Process trumps the Security Process
Learn the business process before imposing security requirements
Restrictive security practices cause worse problems overall
(C) MARCHANY 2011
2
MOST COMMON SECURITY MISTAKES MADE BY
INDIVIDUALS (2001)
Poor password management
Leaving your computer on, unattended
Opening e-mail attachments from strangers
Not installing anti-virus software
Laptops on the loose
Blabber mounts
Plug and Play without protection
Not reporting security violations
Always behind the times (OS, application patches)
Keeping an eye out inside the organization
(C) MARCHANY 2011
4
WHAT I SAID: 1990’S – 2000’S
“Viruses, trojans and worms will never be eliminated.
There is a multi-billion $ industry built to contain
them.” - RCM 2002
There’s no economic incentive to eliminate the root
causes of cybersecurity issues.
We have created a cyber-security industrial complex
Eisenhower was right.
(C) MARCHANY 2011
5
VT CYBER SECURITY STRATEGY
University has 3 main business processes
 Academic, Administrative, Research
Academic
 Open access needed – THE ISP MODEL
Administrative
 Traditional corporate security model
Research
 Hybrid
 Open access
 Restricted research, e.g. ITAR
VA TECH IT SECURITY STRATEGY
Based on ISO 27002, NIST 800-53 Standards
BYOD
 All students required to purchase their own computers, bring their own smartphones.
We’ve been doing this since 1984
Protect sensitive data regardless of location
Business process defines and trumps the security process if there is a conflict
IT and Business processes must adapt to new situation
Don’t care what comes in the net. Worry about what leaves the net.
(C) MARCHANY 2011
7
IMPLEMENTING THE 20 CRITICAL CONTROLS
STRATEGY
Quick wins
Focus on the most common and damaging threats
Consistent implementation
Metrics to justify acquisitions
Interfere with
Attackers getting in
Attackers staying in
Attackers causing damage
Focus on what leaves the net rather than what comes in
(C) MARCHANY 2011
8
(C) MARCHANY 2011
9
WHY 20 CRITICAL CONTROLS?
Subset of the Priority 1 items in NIST 800-53
Mapping of 27002->800-53->20 Critical Controls
http://www.systemexperts.com/assets/tutors/SystemExperts-SANS20-1.pdf
Technical controls only, not operational controls
Have to start somewhere
Focus is ASSURANCE not compliance!
(C) MARCHANY 2011
10
THE 20 CRITICAL CONTROLS: 1-3
1. Inventory of authorized and unauthorized devices
Reduce the ability of attackers to find and exploit unauthorized and unprotected
systems: Use active monitoring and configuration management to maintain an
up-to-date inventory
2. Inventory of authorized and unauthorized software
Identify vulnerable or malicious software to mitigate or root out attacks: Devise a
list of authorized software for each type of system, and deploy tools to track
software installed (including type, version, and patches)
3. Secure configurations for hardware and software on laptops, workstations,
and servers
Prevent attackers from exploiting services and settings that allow easy access
through networks and browsers: Build a secure image that is used for all new
systems deployed to the enterprise
(C) MARCHANY 2011
11
THE 20 CRITICAL CONTROLS: 4-5
4. Continuous Vulnerability Assessment and Remediation
Proactively identify and repair software vulnerabilities reported by security
researchers or vendors: Regularly run automated vulnerability scanning tools
against all systems and quickly remediate any vulnerabilities
5. Malware Defenses
Block malicious code from tampering with system settings or contents,
capturing sensitive data, or spreading
(C) MARCHANY 2011
12
THE 20 CRITICAL CONTROLS: 6-10
6. Application Software Security
Neutralize vulnerabilities in web-based and other application software:
Vendor Application Security Questionnaire
7. Wireless Device Control
Protect the security perimeter against unauthorized wireless access: Allow wireless
devices to connect to the network only if it matches an authorized configuration and
security profile and has a documented owner and defined business need.
8. Data Recovery Capability (validated manually)
9. Security Skills Assessment and Appropriate Training To Fill Gaps (validated manually)
10. Secure configurations for network devices such as firewalls, routers, and switches
Preclude electronic holes from forming at connection points with the Internet, other
organizations, and internal network segments: Compare firewall, router, and switch
configurations against standards for each type of network device.
(C) MARCHANY 2011
13
THE 20 CRITICAL CONTROLS: 11-13
11. Limitation and Control of Network Ports, Protocols, and Services
Allow remote access only to legitimate users and services: Apply host-based
firewalls and port-filtering and scanning tools to block traffic that is not explicitly
allowed
12. Controlled Use of Administrative Privileges
Protect and validate administrative accounts on desktops, laptops, and servers to
prevent two common types of attack:
13. Boundary Defense
Control the flow of traffic through network borders, and police content by looking
for attacks and evidence of compromised machines:
(C) MARCHANY 2011
14
THE 20 CRITICAL CONTROLS: 14-15
14. Maintenance, Monitoring and Analysis of Audit Logs
Use detailed logs to identify and uncover the details of an attack, including the
location, malicious software deployed, and activity on victim machines:. Store
logs on dedicated servers, and run biweekly reports to identify and document
anomalies.
15. Controlled Access Based On Need to Know
Prevent attackers from gaining access to highly sensitive data: Carefully identify
and separate critical data from information that is readily available to internal
network users. Establish a multilevel data classification scheme based on the
impact of any data exposure, and ensure that only authenticated users have
access to nonpublic data and files.
(C) MARCHANY 2011
15
THE 20 CRITICAL CONTROLS: 16-20
16. Account Monitoring and Control
Keep attackers from impersonating legitimate users: Review all system accounts and
disable any that are not associated with a business process and owner.
17. Data Loss Prevention
Stop unauthorized transfer of sensitive data through network attacks and physical
theft: Scrutinize the movement of data across network boundaries, both electronically
and physically, to minimize the exposure to attackers.
18. Incident Response Capability (validated manually)
19. Secure Network Engineering (validated manually)
Keep poor network design from enabling attackers: Use a robust, secure network
engineering process to prevent security controls from being circumvented. Allow rapid
deployment of new access controls to quickly deflect attacks.
20. Penetration Tests and Red Team Exercises (validated manually)
(C) MARCHANY 2011
16
IMPLEMENTATION TIPS
Secure upper management backing
Do a 20 Critical Controls Gap Analysis
Find out who at your organization has the information needed by a particular control
Get access to the info
Pick 2-4 controls at a time,
Rinse, lather and repeat
This is a 3-5 year project.
(C) MARCHANY 2011
17
YOU HAVE THE ANSWERS ALREADY
1. Inventory of authorized and unauthorized device
Obtain from your network management group
2. Inventory of authorized and unauthorized software
Obtain from software purchasing group
3. Secure configurations for hardware and software on laptops, workstations, and
servers
Policy
4. Continuous Vulnerability Assessment and Remediation
IT Security Office runs weekly scans against critical servers
5. Malware Defense
IT Security Office
(C) MARCHANY 2011
18
YOU HAVE THE ANSWERS ALREADY
6. Application Software Security
Security Questionnaires
7. Wireless Device Control
Network management group
8. Data Recovery Capability (validated manually)
Network Backup service, departmental backup process
9. Security Skills Assessment & Appropriate Training To Fill Gaps (validate manually)
Secure the Human
10. Secure configurations for network devices such as firewalls, routers, and switches
Network Management Group
(C) MARCHANY 2011
19
YOU HAVE THE ANSWERS ALREADY
11. Limitation and Control of Network Ports, Protocols, and Services
Policy, Standards, Individual Departmental guidelines
12. Controlled Use of Administrative Privileges
Policy, Standards, Individual Departmental guidelines
13. Boundary Defense
Policy, Standards, define the boundary!
14. Maintenance, Monitoring and Analysis of Audit Logs
Standard Sysadmin practice, SIEM, Syslog server
15. Controlled Access Based On Need to Know
Business process rules, Identity Mgt process
(C) MARCHANY 2011
20
YOU HAVE THE ANSWERS ALREADY
16. Account Monitoring and Control
HR Policies/process, Identity Mgt process
17. Data Loss Prevention
Sensitive Data protection policy/standards, network forensics
18. Incident Response Capability (validated manually)
IT Security Office, Upper Mgt approval
19. Secure Network Engineering (validated manually)
Network mgt group configuration rules
20. Penetration Tests and Red Team Exercises (validated manually)
(C) MARCHANY 2011
21
CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #1
CONTROL ENTITY RELATIONSHIP DIAGRAM
(ERD) #14
(C) MARCHANY 2011
24
(C) MARCHANY 2011
25
(C) MARCHANY 2011
26
THE CHALLENGES
Getting upper management (Board, President, CIO, VP) support
Getting the data
Internal IT groups may not have the info in a format you want
Internal IT groups may not want to give you the data
Departmental groups may not want to give you the info
Performing the Gap analysis
Building the 20 Critical Implementation plan
Just doing it!
(C) MARCHANY 2011
27
JUST DO IT
You probably rolled your eyes when you read the controls
We can’t do that! It’s too complicated
Just do it
We have not made significant strides in overall organizational IT security in the past
20 years
Same vectors in the 1990s are causing problems in the 2010s
It’s time to change the paradigm
Just do it – a few steps at a time
(C) MARCHANY 2011
28
QUESTIONS?
Contact Information
Randy Marchany
University IT Security Officer
VA Tech IT Security Office & Lab
1300 Torgersen Hall
Blacksburg, VA 24061
540-231-9523 (office) 540-231-1688(lab)
[email protected]
Twitter: @randymarchany
Blog: randymarchany.blogspot.com
(C) MARCHANY 2011
29