Transcription
Configuration ManagementWhat:“A systems engineering process for establishing andmaintaining consistency of a product's performance,functional, and physical attributes with its requirements,design, and operational information throughout its -In our case, with respect to cyber security
Configuration ManagementHow:Provide access to a centralized repository of code- easier to manage and distribute from central source- easier to protect configuration informationManage and track multiple versions of the same applicationsManage multiple developersIdentify when changes are made and their impactDetect and resolve conflicting changesDistribute and deploy the latest versions of codeBack up and preserve access to older versions of codeManage and distribute reuse libraries
Configuration ManagementImportance:Attackers look for systems with vulnerable default settingsAttackers make changes once a system is exploitedSecurity Configuration Management (SCM) can identify misconfigurations making the system vulnerable identify “unusual” changes to the systemSCM is used to meet CIS, NIST hardening yword cis%20hardening%20standards&gclid D k.html?keyword Cis%20Hardening%20Standards&gclid EAIaIQobChMI9oyO3s3F4QIVqSCtBh1N7Qq-EAAYASAAEgJEg D BwE#ubuntuSCM is used to meet HIPAA compliance ls/privacy/index.html2015 Verizon Data Breach Investigation Report: 60% of incidents are due to misconfiguration bir/
Configuration ManagementCenter for Internet Security Critical Security Controls: why?Defenders have access to a large number ofsecurity tools, security standards & best practicestraining, classes & certificationsvulnerability databasesguidancecatalogs of security controlssecurity checklistsbenchmarksrecommendations, reports & alert servicesthreat sharing frameworksrisk management frameworkscompliance & regulatory mandatesFog of More:competing options, priorities, opinions, claimscan paralyze or distract an enterprise from vital actionCenter for Information Security: https://www.cisecurity.org/Critical Security Controls: https://en.wikipedia.org/wiki/The CIS Critical Security Controls for Effective Cyber Defense
Configuration ManagementCIS Critical Security Controls: what?CIS CSC are a prioritized, highly focused set of actionswith a community support network to make them implementable,usable, scalable, and compliant with all industry and/orgovernment security requirementsCIS CSC are the result of actual attack outcomes and analysiswith input from individuals who are threat responders, threatanalysts, vulnerability finders, tool makers, solution providers,defenders, policy makers, auditors from government, power,defense, finance, transportation, academia, consulting, ITObjective: reduce attack surface via hardening device configsidentify compromised machines to address long‐term threatsinside an organization’s network, disrupt attacker's C-C ofimplanted malicious code, establish an adaptive, continuous,maintainable defense and response capabilityCenter for Information Security: https://www.cisecurity.org/Critical Security Controls: https://en.wikipedia.org/wiki/The CIS Critical Security Controls for Effective Cyber Defense
Configuration ManagementCIS Critical Security Controls: tenetsOffense informs defense:use knowledge of actual compromising attacks to buildeffective, practical defenses over time – use only controlsthat are known to stop real attacksPrioritization:first: invest in feasibly implemented controls providing highestrisk reduction and protection against the most dangerous actorsMetrics:establish common metrics to provide a shared language forexecutives, IT specialists, auditors, security officials to determineeffectiveness of security measures so adjustments can be madeContinuous diagnostics and mitigation:test and validate the effectiveness of current security measuresAutomation:automate defenses to achieve reliable, scalable, measurementof adherence to the controls and related metrics
Configuration ManagementCIS Critical Security Controls:Inventory of authorized and unauthorized devicesInventory of authorized and unauthorized softwareSecure configurations for hardware and software onmobile devices, laptops, workstations, and serversContinuous vulnerability assessment and remediationControlled use of administrative privilegesMaintenance, monitoring, and analysis of audit LogsEmail and web browser protectionsMalware defensesLimitation and control of network ports, protocols, servicesData recovery capabilityCenter for Information Security: https://www.cisecurity.org/Critical Security Controls: https://en.wikipedia.org/wiki/The CIS Critical Security Controls for Effective Cyber Defense
Configuration ManagementCIS Critical Security Controls:Secure configurations for network devices such asfirewalls, routers, and switchesBoundary defenseData protectionControlled access based on the need to knowWireless access controlAccount monitoring and controlSecurity skills assessment and training to fill gapsApplication software securityIncident response and managementPenetration tests and red team exercisesCenter for Information Security: https://www.cisecurity.org/Critical Security Controls: https://en.wikipedia.org/wiki/The CIS Critical Security Controls for Effective Cyber Defense
Configuration ManagementAutomated Security Control:SCAP: Security Content Automation Protocolsuite of specs that standardize format and nomenclatureto support communication of software flaw and securityconfiguration information http://scap.nist.gov/Spec: tomation-Protocol/SCAP-Releases/SCAP-1-3XCCDF: Extensible Configuration Checklist Description Formatspecification language for writing security checklists,benchmarks, and related kinds of documentsSpec: http://scap.nist.gov/specifications/xccdf/Click specification link, scroll to & click XCCDF /nistir/7275/rev-4/final/documents/nistir-7275r4 updated-march-2012 -a-rule/OVAL: Open Vulnerability and Assessment Languagerepresent configuration information of systems for testinganalyze for vulnerability, configuration, patch (etc.) statereport results of the assessment.Spec: https://oval.mitre.org/Ex: https://qualysguard.qualys.com/qwebhelp/fo portal/scans/oval vulnerability samples.htm
Configuration ManagementAutomated Security Control:CVSS: Common Vulnerability Scoring Systemframework for communicating the characteristics andimpact of IT vulnerabilities https://nvd.nist.gov/cvss.cfmScore: /AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:HStandard spec: http://www.first.org/cvss/v2/guideVector spec: https://nvd.nist.gov/CVSS/Vector-v2.aspxCPE: Common Platform Enumerationstandardized method of describing and identifying classesof applications, operating systems, and hardware devicespresent among an enterprise's computing assetsSpec: https://cpe.mitre.org/specification/Dictionary: https://nvd.nist.gov/cpe.cfmCCE: Common Configuration Enumerationprovide unique identifiers to system configuration issuesin order to facilitate fast, accurate correlation of configurationdata across multiple information sources and toolsCCE & CPE are widely used to check for known vulnerabilitiesTry: https://nvd.nist.gov/config/cceChecklist: https://web.nvd.nist.gov/view/ncp/repository
Configuration ManagementSCAP Interoperability:
Configuration ManagementSCAP:developed to organize, express and measure securityinformation in standardized ways, to provide an automatedapproach to maintaining the security of enterprise systemsSCAP is used to maintain system security as follows:automatically verifying the installation of patches checking system security configuration settings examining systems for signs of compromiseHelps organizations needing to comply withUS Government Configuration Baseline s-Government-Configuration-BaselineSCAP-validated scanning tools scan for complianceSCAP tools can be used continuously, not occasionally
Configuration ManagementSCAP Content:Software flaw and security configuration standard referencedataProvided by the National Vulnerability Database (NVD),managed by NISTsponsored by the Department of Homeland Security (DHS)
Configuration ManagementSCAP Specifications:Forum for Incident Response and Security Teams (FIRST): https://www.first.org/MITRE: https://www.mitre.org/ NSA: https://www.nsa.gov/ NIST: https://www.nist.gov/
Configuration ManagementSCAP Checklists:Integrate SCAP components and contentExample: view oft Internet Explorer 7 – choose USGCB IE7Click 'download prose' (human readable)Click 'download' link at top – open spreadsheet, goto last tabspreadsheet indexes policy setting and name with theCCE reference, the registry setting, the description,the Federal Desktop Configuration for each policyDownload All Platforms https://nvd.nist.gov/config/cce
Configuration ManagementSCAP Common Uses:Security configuration verificationcompare settings in a checklist to a system’sactual configurationverify configuration before deployment,audit/assess/monitor operational systemsmap individual settings to high level security requirementsthat originate from mandates such as FDCCsimilar process for verifying patch installation andidentifying missing patchesCheck systems for signs of compromiseknown characteristics of attacks, such as alteredfiles or the presence of a malicious service
Configuration ManagementSCAP Common Uses:Standardize Security Enumerationsinteroperability for security management tools, such asvulnerability scanners and patch management utilitiesinformation sharing, such as security bulletins andincident reportsVulnerability Remediation Prioritizationuse scores of relative vulnerability severity to helpprioritize remediation, such as applying patchesAcquire and use SCAP-validated productsvalidated products list:https://nvd.nist.gov/scapproducts.cfmscroll to bottom of page to see accredited laboratories
Configuration ManagementSCAP: how it worksSoftware Developersregister and use standardized identifiersmake security settings available through automationdevelop software with SCAP requirements in mind toavoid costly manual checks and proprietary checkingmechanismsSCAP Content Producersdevelop security checklists in SCAP format andcontribute them to the National Checklist Programparticipate in developing OVALEnd-user organizationsacquire products and services that support SCAPuse SCAP in organization-developed software,databases, etc.
Configuration ManagementSCAP Validation:Independent laboratories test submitted productstests defined in NIST IR 7511, SCAP ValidationProgram Test RequirementsNIST validates products based on the test results, thenposts the eral agencies have requirements to purchase SCAPvalidated productsdetails at http://nvd.nist.gov/scapproducts.cfm
Configuration ManagementSCAP Revision Cycle:DTR Derived TestRequirements
Configuration ManagementSCAP Redux:
Configuration ManagementSCAP Benefits:automation reduces manual effort to obtain assessmentresults, determine corrective actions needed and providessubstantial cost savingsSCAP mandates a common language that supports easiercommunication of results with other SCAP system usersSCAP supports easier comparison of issue sets betweensecurity organizations because vulnerabilities are describedusing the CVSS, CVE and CPE.Use of SCAP-validated products prepares organization’sFDCC/USGCB audits.It is possible to make and modify custom checklistsUse of FDCC /USGCB content is required only undergovernment mandate
Configuration ManagementUnix Configuration c.edu/Courses/c6056/lectures/PDF/config management.pdf
Configuration Management SCAP Common Uses: Security configuration verification compare settings in a checklist to a system's actual configuration verify configuration before deployment, audit/assess/monitor operational systems map individual settings to high level security requirements that originate from mandates such as FDCC
