Critical Controls Of Cyber Defense

Critical Controls Of Cyber Defense

• 1.
  Critical Controls forCyber DefenseMadhurVermaCISSP, MVP (Consumer Security)CEH, CIW Security Analyst, MCTS, MCSE, MCSA
• 2.
  Computer Attacker Activitiesand Associated DefensesSecurity defenses include identifying attacker presence and reducing “living space”Security defenses include controlling superuser privileges [admin and root]Security defenses include disrupting command and control of attacker-implanted softwareSecurity defenses include decreasing attack surface and hardening security
• 3.
  Critical Control 1BoundaryDefenseAll outgoing traffic must pass through at least one proxy on a DMZ network
• 4.
  All remote loginaccess required to use two-factor authentication
• 5.
  Health checking ofall remotely logging devices
• 6.
  Periodically scan forback-channel connections to the Internet that bypass the DMZ
• 7.
  Identify covert channelsexfiltrating data through a firewall with built-in firewall session tracking mechanisms Critical Control 2Secure Configurations for Network Devices such as Firewalls, Routers and SwitchesCompare firewall, router and switch configuration against standard secure configurations defined for each type of network device
• 8.
  Implement ingress andegress filtering
• 9.
  Management network shouldbe seprated from production networkCritical Control 3Wireless Device ControlEnsure that each wireless device connected to the network matches an authorized configuration and security profile
• 10.
  Ensure all wirelesstraffic leverages at least AES encryption used with at least WPA2 protection
• 11.
  Ensure wireless networksuse authentication protocols such as EAP/TLS or PEAP
• 12.
  Disable peer-to-peer wirelessnetwork capabilities on wireless clients
• 13.
  Disable wireless peripheralaccess of devices
• 14.
  Regularly scan forunauthorized or misconfigured wireless infrastructure devicesCritical Control 4Limitation and Control of Network Ports, Protocols and ServicesUse Host-based Firewalls or port filtering tools
• 15.
  Regularly review theports, protocols and services needed
• 16.
  Operate critical serviceson separate physical host machines
• 17.
  Port scanning toolsare used to determine which services are listeningCritical Control 5Malware DefensesMonitor workstations, servers and mobile devices for active, up-to-date anti-malware protection
• 18.
  All malware detectionevents should be sent to enterprise anti-malware administration tools and event log servers
• 19.
  Configure laptops, workstationsand servers so that they will not auto-run content from removable media
• 20.
  Configure systems toconduct an automated anti-malware scan of removable media when it is insertedCritical Control 6Secure Configurations for Hardware and Software on Laptops, Workstations and ServersStandardized images should represent hardened versions of the underlying OS and the applications installed on the system
• 21.
  Utilize file integritychecking tools to ensure that critical systems files have not been alteredCritical Control 7Application Software SecurityProtect web applications by deploying web application firewalls that inspect all traffic flowing to the web application for common web application attacks
• 22.
  Check for in-housedeveloped and third-party procured web and other application software for coding errors, malware insertion, including backdoors prior to deployment
• 23.
  Verify that securityconsiderations are taken into account throughout phases of the application development life cycle of all applicationsCritical Control 8Controlled use of Administrative PrivilegesShould have a good password policy
• 24.
  Change all defaultpasswords before deploying
• 25.
  Ensure that administratoraccounts are used only for system administration activities and not for reading e-mail, composing documents or surfing the Internet
• 26.
  Configure systems toissue a log entry and alert when an account is added to or removed from domain administrators group
• 27.
  User awarenessCritical Control9Controlled Access Based on Need-to-KnowEstablish a multi-level data identification or separation scheme
• 28.
  Ensure that fileshares have defined controls
• 29.
  Enforce detailed auditlogging for access to non-public data and special authentication for sensitive data Critical Control 10Account Monitoring and ControlEstablish a good account management policy
• 30.
  Review all systemaccounts and disable any account that cannot be associated with a business process and business owner
• 31.
  Monitor account usageto determine dormant accounts
• 32.
  Monitor attempts toaccess deactivated accounts through audit loggingCritical Control 11Inventory of Authorized and Unauthorized SoftwareDevise a list of authorised software that is required
• 33.
  Deploy software inventorytools
• 34.
  Deploy software white-listingtechnology that allows systems to run only approved applications and prevents execution of all other softwareCritical Control 12Inventory of Authorized and Unauthorized DevicesDevise a list of authorised devices
• 35.
  Deploy asset/network managementtoolsCritical Control 13Maintenance, Monitoring and Analysis of Security Audit LogsLogs should be recorded in standardized format such as syslog or those outline by Common Event Expression (CEE) initiative
• 36.
  Network boundary shouldbe configured to log verbosely all traffic arriving at the device
• 37.
  Ensure logs arewritten to write-only devices or to dedicated logging servers
• 38.
  Deploy SEIM systemtool for log aggregation and consolidation Critical Control 14Data Loss PreventionDeploy hard drive encryption software to laptop machines that hold sensitive data
• 39.
  Control the useof removable devices
• 40.
  Data stored onremovable drives should be encrypted
• 41.
  Deploy an automatedtool on network perimeter that monitors certain Personally Identifiable Information, keywords and other document characteristics to determine attempts to exfiltrate data Critical Control 15Continuous Vulnerability Assessment and RemediationRun automated vulnerability scanning tools against all systems
• 42.
  Compare the resultsfrom back-to-back vulnerability scans to verify that vulnerabilities were addressed
• 43.
  Measure the delayin patching new vulnerabilities
• 44.
  Deploy automated patchmanagement tools and software update toolsCritical Control 16Secure Network EngineeringSegment the enterprise network
• 45.
  Follow best securitypractices for deploying servers, network devices and Internet services
• 46.
  Network should supportrapid response and shunning of detected attacksCritical Control 17Penetration Tests and Red Team ExercisesConduct regular penetration test to identify attack vectors
• 47.
  Perform periodic redteam exercises to test the readiness of organizations to identify and stop attacks or to respond quickly and effectively
• 48.
  Ensure that systemicproblems discovered in penetration tests and red team exercises are fully mitigatedCritical Control 18Incident Response CapabilityShould have written incident response procedures
• 49.
  Should assign jobtitles and duties for handling incidents to specific individuals
• 50.
  Should notify CERT-Inin accordance
• 51.
  Publish information toall personnel about information of incidents for awareness
• 52.
  Conduct periodic incidentresponse drills for scenario to ensure that personnel understand current threats, risks and their responsibilities Critical Control 19Data Recovery CapabilityShould have good backup policy
• 53.
  Ensure that backupsare encrypted
• 54.
  Backup media shouldbe stored in physically secure areasCritical Control 20Security Skills Assessment and Appropriate Training to Fill Gaps Develop security awareness trainings
• 55.
  Devise periodic securityawareness assessment quizzes
• 56.
  Conduct periodic exercisesto verify that employees and contractors are fulfilling their information security dutiesResourceshttp://www.sans.org
• 57.
  http://www.microsoft.com/technet