Transcript InformationSecurity: How Can We Manage it Better?

THE CENTER FOR
INTERNET SECURITY
Securing IT Systems with the
Consensus Benchmarks
and
Scoring Tools
Clint Kreitner
www.cisecurity.org
[email protected]
1
SM
Unfortunate, but true…
“Through 2005, 90 percent of cyber
attacks will continue to exploit
known security flaws for which a
patch is available or a preventive
measure known.”
• Gartner Group, May 6, 2002
2
What is causing the vulnerabilities that
are being exploited?

Software defects


Fixed with vendor patches
Lack of technical security controls
Security settings made to enable or
disable security features of the OS
software
 Think of them as software switches

3
Examples of security settings







Password length, complexity
Account lockout after X attempts
Audit what system events?
Idle time before logoff
Users allowed to install print drivers?
What unneededservices to disable?
File system to use?
4
Aren’t these standards adequate to
improve user security practice?
ISO 17799
 COBIT from ISACA
 SysTrust, WebTrust from AICPA
 FISCAM from GAO
 Principles and Practices for Security
of IT Systems from NIST
 Standard of Good Practice from ISF

5
These standards are
helpful, but incomplete
They describe “what” to do, but not
“how”
 These standards are effective only
when accompanied by details on
how to implement their
requirements

6
An Example from ISO 17799
9.7.1 Event logging
Audit logs recording exceptions and other securityrelevant events should be produced and kept for an
agreed period to assist in future investigations and
access control monitoring.
Audit logs should also include:
a) user IDs;
b) dates and times for log-on and log-off;
c) terminal identity or location if possible;
d) records of successful and rejected system access
attempts;
e) records of successful and rejected data and other
resource access attempts.
7
One of several actions needed to implement
event logging on Sun Solaris systems:
cat <<END_SCRIPT >/etc/init.d/newperf
#!/sbin/sh
/usr/bin/su sys -c \
"/usr/lib/sa/sadc /var/adm/sa/sa\`date +%d\`"
END_SCRIPT
chown root:sys /etc/init.d/newperf
chmod 744 /etc/init.d/newperf
rm -f /etc/rc2.d/S21perf
ln -s /etc/init.d/newperf /etc/rc2.d/S21perf
/usr/bin/su sys -c crontab <<END_ENTRIES
0,20,40 * * * * /usr/lib/sa/sa1
45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A
END_ENTRIES
8
Why has it been so difficult to
proliferate good security practice?
Vendors have been shipping
unconfigured systems to users with
technical security controls turned off
 Users don’t know how to properly
configure their systems
 Users are afraid to disrupt
operations


With patches or security settings
9
Microsoft Issues Patches,
but Users Don’t Apply Them
Forrester
Research
Report
April 3, 2003
10
Responding to the challenge
Cosmos Club meeting Aug 2000
 Need to develop and proliferate
detailed technical best practices

 The only true solution is try to raise the
bar everywhere--globally
 Employ a consensus process to define
best practices that is driven by security
savvy users from the public and private
sectors
11
The Center for Internet
Security (CIS)
Formed in October 2000
 Modeled after other community
initiatives, e.g., transportation safety
 A not-for-profit consortium of users
 Convenes and facilitates teams that
build consensus benchmarks

12
Some of the participants
in the consensus effort:
Government:








Nat’l Inst Stds & Tech.
Infocomm Development
Authority of Singapore
Naval Surface Warfare
Center
US Treasury Financial
Management Service
Washington State Dept.
of Health
Defense Info Sys
Agency (DISA)
Federal Reserve System
NASA










US Dept of Justice
Library of Congress
Royal Canadian Mounted
Police
Communications Security
Establishment (Canada)
Canadian CERT
NSA
GSA
FedCIRC
Dept Homeland Security
State of Maryland
13
Participants (cont’d):
Commercial:












Eastman Kodak
SASKTel
LG&E Energy
Hallmark
Intel
Deutsche Telecom
Caterpillar
Baylor College of Medicine
NCR
Batelle
U.S. Central Credit Union
VISA












Thomson Holdings
Pitney Bowes
First Union Corporation
Intuit
Union Bank of California
Swiss Reinsurance Co
Elemica
Online Resources
Agilent Technologies
Shell Info. Tech. Int’l
PeopleSoft
News Corporation
14
More (cont’d):
Consulting/Service:









IBM Business Consulting
Grant Thornton
Deloitte Touche
ISS
Symantec
BindView
NetIQ
SecureNet Solutions
RDA Corp







CSC
Procinct Security
Solutionary
Polivec
Mobile Automation
ConfigureSoft
GFM Consulting
15
More (cont’d):
Universities:
 Institute for Security Tech. Studies at Dartmouth








Virginia Tech
Monash University (Australia)
Illinois Institute of Technology
University of Missouri
William & Mary
Utah State University
University of California, SF
New York University
16
Auditing Participants

Information Systems Audit and
Control Association (ISACA)

American Institute of Certified
Public Accountants (AICPA)

Institute of Internal Auditors (IIA)
17
What has this
public/private partnership
produced so far?
18
Currently available:

Level I Configuration Benchmarks
Solaris
 Linux
 HP-UX
 Windows NT
 Windows 2000
 Cisco Router IOS

19
A Level I Benchmark:
Can be implemented by a sysadmin
of any level of security expertise
 Can be monitored by a compliance
tool
 Is not likely to “break” any function
 Represents a baseline level of
security

20
Currently available:

Gold Standard Benchmarks
W2K Professional Level II
 W2K Server Level II
 CISCO Router IOS Level I/II
 Solaris Level I

21
Also currently available:

Configuration Scoring Tools
Solaris
 Linux
 HP-UX
 Windows NT
 Windows 2000 Server
 Windows 2000 Professional
 Cisco Router IOS

22
23
Under development:

Benchmarks and Scoring Tools for:










Oracle databases
Apache
Windows IIS
Windows XP
Windows Server 2003
Catalyst Switches
PIX Firewalls
Check Point FW-1
SQL Server
Juniper Routers
24
How is this work being done?





Teams are formed with security experts
from member organisations
An initial benchmark draft is obtained or
developed
Consensus is established via email and
conference call discussion
A scoring tool is developed
They are made available free to all
users globally via the CIS website
(www.cisecurity.org)
25
The good news…
Case studies show that 80-90% of known
vulnerabilities are blocked by the security
settings in the consensus benchmarks…….
26
Case Study Methodology
(1) Scan a system “out of the box”
and list identified vulnerabilities
 (2) Configure the system with the
appropriate benchmark
 (3) Rescan the system and note the
vulnerabilities remaining

27
Vulnerability Assessment
Case studies
Study
System
% of Vuls
Benchmark Eliminated
Solutionary
W2K Server
Level I
85
Citadel
W2K Pro
Level I
81
NSA
W2K Pro
Level II
91
Mitre
W2K Pro
Level II
83 (CVE)
Citadel
W2K Server
Level II
99
Citadel
RedHatLinux
Level I
100
28
Encouraging progress:



U.S. government promulgation of CIS
benchmarks and tools via FedCIRC
VISA adoption of CIS benchmarks for its
Cardholder Information Security
Program’s Digital Dozen
Progress at the vendor level


Dell now delivering pre-configured systems
Top security experts from Microsoft, Sun, HP,
Cisco, and Oracle are active on the benchmark
consensus teams
29
Benefits of using
benchmarks and tools
Substantially reduce the risk of
unauthorized intrusion
 Following a recognized patching and
configuration standard demonstrates
due care against legal liability
 Provides a basis for ongoing
measurement and reporting of
security status to management

30
Recommended policies:




Use govt purchasing power to buy only
benchmark configured systems from
vendors
Encourage corporate and other
institutional buyers to do the same
Establish benchmark compliance as an
audit requirement
Encourage users in all sectors to
download and use the consensus
benchmarks and tools
31
Thank you!
[email protected]
http://www.cisecurity.org
32