Securing IT Systems with the - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Securing IT Systems with the

Description:

Why has it been so difficult to proliferate good security practice? ... Need to develop and proliferate detailed technical best practices ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 33
Provided by: clin92
Category:

less

Transcript and Presenter's Notes

Title: Securing IT Systems with the


1
THE CENTER FOR
INTERNET SECURITY
SM
  • Securing IT Systems with the
  • Consensus Benchmarks
  • and
  • Scoring Tools
  • Clint Kreitner
  • www.cisecurity.org
  • ckreitner_at_cisecurity.org

2
Unfortunate, but true
  • Through 2005, 90 percent of cyber attacks will
    continue to exploit known security flaws for
    which a patch is available or a preventive
    measure known.
  • Gartner Group, May 6, 2002

3
What is causing the vulnerabilities that are
being exploited?
  • Software defects
  • Fixed with vendor patches
  • Lack of technical security controls
  • Security settings made to enable or disable
    security features of the OS software
  • Think of them as software switches

4
Examples of security settings
  • Password length, complexity
  • Account lockout after X attempts
  • Audit what system events?
  • Idle time before logoff
  • Users allowed to install print drivers?
  • What unneededservices to disable?
  • File system to use?

5
Arent these standards adequate to improve user
security practice?
  • ISO 17799
  • COBIT from ISACA
  • SysTrust, WebTrust from AICPA
  • FISCAM from GAO
  • Principles and Practices for Security of IT
    Systems from NIST
  • Standard of Good Practice from ISF

6
These standards are helpful, but incomplete
  • They describe what to do, but not how
  • These standards are effective only when
    accompanied by details on how to implement their
    requirements

7
An Example from ISO 17799 9.7.1 Event
logging Audit logs recording exceptions and
other security-relevant events should be produced
and kept for an agreed period to assist in future
investigations and access control
monitoring. Audit logs should also include a)
user IDs b) dates and times for log-on and
log-off c) terminal identity or location if
possible d) records of successful and rejected
system access attempts e) records of successful
and rejected data and other resource access
attempts.
8
One of several actions needed to implement event
logging on Sun Solaris systems cat ltltEND_SCRIPT
gt/etc/init.d/newperf !/sbin/sh /usr/bin/su sys
-c \ "/usr/lib/sa/sadc /var/adm/sa/sa\date
d\" END_SCRIPT chown rootsys
/etc/init.d/newperf chmod 744 /etc/init.d/newperf
rm -f /etc/rc2.d/S21perf ln -s /etc/init.d/newperf
/etc/rc2.d/S21perf /usr/bin/su sys -c crontab
ltltEND_ENTRIES 0,20,40 /usr/lib/sa/sa1 45
23 /usr/lib/sa/sa2 -s 000 -e 2359 -i 1200
-A END_ENTRIES
9
Why has it been so difficult to proliferate good
security practice?
  • Vendors have been shipping unconfigured systems
    to users with technical security controls turned
    off
  • Users dont know how to properly configure their
    systems
  • Users are afraid to disrupt operations
  • With patches or security settings

10
Microsoft Issues Patches, but Users Dont Apply
Them
Forrester Research Report April 3, 2003
11
Responding to the challenge
  • Cosmos Club meeting Aug 2000
  • Need to develop and proliferate detailed
    technical best practices
  • The only true solution is try to raise the bar
    everywhere--globally
  • Employ a consensus process to define best
    practices that is driven by security savvy users
    from the public and private sectors

12
The Center for Internet Security (CIS)
  • Formed in October 2000
  • Modeled after other community initiatives, e.g.,
    transportation safety
  • A not-for-profit consortium of users
  • Convenes and facilitates teams that build
    consensus benchmarks

13
Some of the participants in the consensus effort
  • Government
  • Natl Inst Stds Tech.
  • Infocomm DevelopmentAuthority of Singapore
  • Naval Surface Warfare Center
  • US Treasury Financial Management Service
  • Washington State Dept. of Health
  • Defense Info Sys Agency (DISA)
  • Federal Reserve System
  • NASA
  • US Dept of Justice
  • Library of Congress
  • Royal Canadian Mounted Police
  • Communications Security Establishment (Canada)
  • Canadian CERT
  • NSA
  • GSA
  • FedCIRC
  • Dept Homeland Security
  • State of Maryland

14
Participants (contd)
  • Commercial
  • Eastman Kodak
  • SASKTel
  • LGE Energy
  • Hallmark
  • Intel
  • Deutsche Telecom
  • Caterpillar
  • Baylor College of Medicine
  • NCR
  • Batelle
  • U.S. Central Credit Union
  • VISA
  • Thomson Holdings
  • Pitney Bowes
  • First Union Corporation
  • Intuit
  • Union Bank of California
  • Swiss Reinsurance Co
  • Elemica
  • Online Resources
  • Agilent Technologies
  • Shell Info. Tech. Intl
  • PeopleSoft
  • News Corporation

15
More (contd)
  • Consulting/Service
  • IBM Business Consulting
  • Grant Thornton
  • Deloitte Touche
  • ISS
  • Symantec
  • BindView
  • NetIQ
  • SecureNet Solutions
  • RDA Corp
  • CSC
  • Procinct Security
  • Solutionary
  • Polivec
  • Mobile Automation
  • ConfigureSoft
  • GFM Consulting

16
More (contd)
  • Universities
  • Institute for Security Tech. Studies at Dartmouth
  • Virginia Tech
  • Monash University (Australia)
  • Illinois Institute of Technology
  • University of Missouri
  • William Mary
  • Utah State University
  • University of California, SF
  • New York University

17
Auditing Participants
  • Information Systems Audit and Control Association
    (ISACA)
  • American Institute of Certified Public
    Accountants (AICPA)
  • Institute of Internal Auditors (IIA)

18
What has this public/private partnership
produced so far?
19
Currently available
  • Level I Configuration Benchmarks
  • Solaris
  • Linux
  • HP-UX
  • Windows NT
  • Windows 2000
  • Cisco Router IOS

20
A Level I Benchmark
  • Can be implemented by a sysadmin of any level of
    security expertise
  • Can be monitored by a compliance tool
  • Is not likely to break any function
  • Represents a baseline level of security

21
Currently available
  • Gold Standard Benchmarks
  • W2K Professional Level II
  • W2K Server Level II
  • CISCO Router IOS Level I/II
  • Solaris Level I

22
Also currently available
  • Configuration Scoring Tools
  • Solaris
  • Linux
  • HP-UX
  • Windows NT
  • Windows 2000 Server
  • Windows 2000 Professional
  • Cisco Router IOS

23
(No Transcript)
24
Under development
  • Benchmarks and Scoring Tools for
  • Oracle databases
  • Apache
  • Windows IIS
  • Windows XP
  • Windows Server 2003
  • Catalyst Switches
  • PIX Firewalls
  • Check Point FW-1
  • SQL Server
  • Juniper Routers

25
How is this work being done?
  • Teams are formed with security experts from
    member organisations
  • An initial benchmark draft is obtained or
    developed
  • Consensus is established via email and conference
    call discussion
  • A scoring tool is developed
  • They are made available free to all users
    globally via the CIS website
  • (www.cisecurity.org)

26
The good news Case studies show that 80-90
of known vulnerabilities are blocked by the
security settings in the consensus benchmarks.
27
Case Study Methodology
  • (1) Scan a system out of the box and list
    identified vulnerabilities
  • (2) Configure the system with the appropriate
    benchmark
  • (3) Rescan the system and note the
    vulnerabilities remaining

28
Vulnerability Assessment Case studies
29
Encouraging progress
  • U.S. government promulgation of CIS benchmarks
    and tools via FedCIRC
  • VISA adoption of CIS benchmarks for its
    Cardholder Information Security Programs Digital
    Dozen
  • Progress at the vendor level
  • Dell now delivering pre-configured systems
  • Top security experts from Microsoft, Sun, HP,
    Cisco, and Oracle are active on the benchmark
    consensus teams

30
Benefits of using benchmarks and tools
  • Substantially reduce the risk of unauthorized
    intrusion
  • Following a recognized patching and configuration
    standard demonstrates due care against legal
    liability
  • Provides a basis for ongoing measurement and
    reporting of security status to management

31
Recommended policies
  • Use govt purchasing power to buy only benchmark
    configured systems from vendors
  • Encourage corporate and other institutional
    buyers to do the same
  • Establish benchmark compliance as an audit
    requirement
  • Encourage users in all sectors to download and
    use the consensus benchmarks and tools

32
  • Thank you!
  • ckreitner_at_cisecurity.org
  • http//www.cisecurity.org
Write a Comment
User Comments (0)
About PowerShow.com