InformationSecurity: How Can We Manage it Better?
Download
Report
Transcript InformationSecurity: How Can We Manage it Better?
THE CENTER FOR
INTERNET SECURITY
Securing IT Systems with the
Consensus Benchmarks
and
Scoring Tools
Clint Kreitner
www.cisecurity.org
[email protected]
1
SM
Unfortunate, but true…
“Through 2005, 90 percent of cyber
attacks will continue to exploit
known security flaws for which a
patch is available or a preventive
measure known.”
• Gartner Group, May 6, 2002
2
What is causing the vulnerabilities that
are being exploited?
Software defects
Fixed with vendor patches
Lack of technical security controls
Security settings made to enable or
disable security features of the OS
software
Think of them as software switches
3
Examples of security settings
Password length, complexity
Account lockout after X attempts
Audit what system events?
Idle time before logoff
Users allowed to install print drivers?
What unneededservices to disable?
File system to use?
4
Aren’t these standards adequate to
improve user security practice?
ISO 17799
COBIT from ISACA
SysTrust, WebTrust from AICPA
FISCAM from GAO
Principles and Practices for Security
of IT Systems from NIST
Standard of Good Practice from ISF
5
These standards are
helpful, but incomplete
They describe “what” to do, but not
“how”
These standards are effective only
when accompanied by details on
how to implement their
requirements
6
An Example from ISO 17799
9.7.1 Event logging
Audit logs recording exceptions and other securityrelevant events should be produced and kept for an
agreed period to assist in future investigations and
access control monitoring.
Audit logs should also include:
a) user IDs;
b) dates and times for log-on and log-off;
c) terminal identity or location if possible;
d) records of successful and rejected system access
attempts;
e) records of successful and rejected data and other
resource access attempts.
7
One of several actions needed to implement
event logging on Sun Solaris systems:
cat <<END_SCRIPT >/etc/init.d/newperf
#!/sbin/sh
/usr/bin/su sys -c \
"/usr/lib/sa/sadc /var/adm/sa/sa\`date +%d\`"
END_SCRIPT
chown root:sys /etc/init.d/newperf
chmod 744 /etc/init.d/newperf
rm -f /etc/rc2.d/S21perf
ln -s /etc/init.d/newperf /etc/rc2.d/S21perf
/usr/bin/su sys -c crontab <<END_ENTRIES
0,20,40 * * * * /usr/lib/sa/sa1
45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A
END_ENTRIES
8
Why has it been so difficult to
proliferate good security practice?
Vendors have been shipping
unconfigured systems to users with
technical security controls turned off
Users don’t know how to properly
configure their systems
Users are afraid to disrupt
operations
With patches or security settings
9
Microsoft Issues Patches,
but Users Don’t Apply Them
Forrester
Research
Report
April 3, 2003
10
Responding to the challenge
Cosmos Club meeting Aug 2000
Need to develop and proliferate
detailed technical best practices
The only true solution is try to raise the
bar everywhere--globally
Employ a consensus process to define
best practices that is driven by security
savvy users from the public and private
sectors
11
The Center for Internet
Security (CIS)
Formed in October 2000
Modeled after other community
initiatives, e.g., transportation safety
A not-for-profit consortium of users
Convenes and facilitates teams that
build consensus benchmarks
12
Some of the participants
in the consensus effort:
Government:
Nat’l Inst Stds & Tech.
Infocomm Development
Authority of Singapore
Naval Surface Warfare
Center
US Treasury Financial
Management Service
Washington State Dept.
of Health
Defense Info Sys
Agency (DISA)
Federal Reserve System
NASA
US Dept of Justice
Library of Congress
Royal Canadian Mounted
Police
Communications Security
Establishment (Canada)
Canadian CERT
NSA
GSA
FedCIRC
Dept Homeland Security
State of Maryland
13
Participants (cont’d):
Commercial:
Eastman Kodak
SASKTel
LG&E Energy
Hallmark
Intel
Deutsche Telecom
Caterpillar
Baylor College of Medicine
NCR
Batelle
U.S. Central Credit Union
VISA
Thomson Holdings
Pitney Bowes
First Union Corporation
Intuit
Union Bank of California
Swiss Reinsurance Co
Elemica
Online Resources
Agilent Technologies
Shell Info. Tech. Int’l
PeopleSoft
News Corporation
14
More (cont’d):
Consulting/Service:
IBM Business Consulting
Grant Thornton
Deloitte Touche
ISS
Symantec
BindView
NetIQ
SecureNet Solutions
RDA Corp
CSC
Procinct Security
Solutionary
Polivec
Mobile Automation
ConfigureSoft
GFM Consulting
15
More (cont’d):
Universities:
Institute for Security Tech. Studies at Dartmouth
Virginia Tech
Monash University (Australia)
Illinois Institute of Technology
University of Missouri
William & Mary
Utah State University
University of California, SF
New York University
16
Auditing Participants
Information Systems Audit and
Control Association (ISACA)
American Institute of Certified
Public Accountants (AICPA)
Institute of Internal Auditors (IIA)
17
What has this
public/private partnership
produced so far?
18
Currently available:
Level I Configuration Benchmarks
Solaris
Linux
HP-UX
Windows NT
Windows 2000
Cisco Router IOS
19
A Level I Benchmark:
Can be implemented by a sysadmin
of any level of security expertise
Can be monitored by a compliance
tool
Is not likely to “break” any function
Represents a baseline level of
security
20
Currently available:
Gold Standard Benchmarks
W2K Professional Level II
W2K Server Level II
CISCO Router IOS Level I/II
Solaris Level I
21
Also currently available:
Configuration Scoring Tools
Solaris
Linux
HP-UX
Windows NT
Windows 2000 Server
Windows 2000 Professional
Cisco Router IOS
22
23
Under development:
Benchmarks and Scoring Tools for:
Oracle databases
Apache
Windows IIS
Windows XP
Windows Server 2003
Catalyst Switches
PIX Firewalls
Check Point FW-1
SQL Server
Juniper Routers
24
How is this work being done?
Teams are formed with security experts
from member organisations
An initial benchmark draft is obtained or
developed
Consensus is established via email and
conference call discussion
A scoring tool is developed
They are made available free to all
users globally via the CIS website
(www.cisecurity.org)
25
The good news…
Case studies show that 80-90% of known
vulnerabilities are blocked by the security
settings in the consensus benchmarks…….
26
Case Study Methodology
(1) Scan a system “out of the box”
and list identified vulnerabilities
(2) Configure the system with the
appropriate benchmark
(3) Rescan the system and note the
vulnerabilities remaining
27
Vulnerability Assessment
Case studies
Study
System
% of Vuls
Benchmark Eliminated
Solutionary
W2K Server
Level I
85
Citadel
W2K Pro
Level I
81
NSA
W2K Pro
Level II
91
Mitre
W2K Pro
Level II
83 (CVE)
Citadel
W2K Server
Level II
99
Citadel
RedHatLinux
Level I
100
28
Encouraging progress:
U.S. government promulgation of CIS
benchmarks and tools via FedCIRC
VISA adoption of CIS benchmarks for its
Cardholder Information Security
Program’s Digital Dozen
Progress at the vendor level
Dell now delivering pre-configured systems
Top security experts from Microsoft, Sun, HP,
Cisco, and Oracle are active on the benchmark
consensus teams
29
Benefits of using
benchmarks and tools
Substantially reduce the risk of
unauthorized intrusion
Following a recognized patching and
configuration standard demonstrates
due care against legal liability
Provides a basis for ongoing
measurement and reporting of
security status to management
30
Recommended policies:
Use govt purchasing power to buy only
benchmark configured systems from
vendors
Encourage corporate and other
institutional buyers to do the same
Establish benchmark compliance as an
audit requirement
Encourage users in all sectors to
download and use the consensus
benchmarks and tools
31
Thank you!
[email protected]
http://www.cisecurity.org
32