Title: Reducing Real Risk in the Cyber World
1 - Reducing Real Risk in the Cyber World
- or
- STOP THE BLEEDING FIRST!!
- Franklin S. Reeder
- reeder_at_bellatlantic.net
2Affiliations and disclaimers
- Information System Security and Privacy Advisory
Board http//csrc.nist.gov/csspab - Center for Internet Security www.CISecurity.org
- Personal
3Managers are frustrated about how to manage
security
- What do I need to do?
- How much is enough?
- Who can I trust?
- How can I resolve the conflicting advice Im
receiving from the experts? - How can I get beyond what seems like a cycle of
futility?
4Security staff is frustrated
- All management wants is operational performance
and convenience - People dont understand the inherent tension
between security and usability - Management is reinforcing the wrong psychology
- Vendor security defaults are useless
- Staff time is consumed with installing patches
and investigating intrusions
5Everyone is frustrated
- About how to deal with a problem of global scope
in a world focused on narrow competitive
self-interest
6To make it worse, we have met the enemy, and it
is us
- Through 2005, 90 percent of cyber attacks will
continue to exploit known security flaws for
which a patch is available or a preventive
measure known. - Gartner Group, May 6, 2002
7Whats the problem? Plenty of standards are
available
- ISO 17799
- COBIT from ISACA
- SysTrust, WebTrust from AICPA
- FISCAM from GAO
- Principles and Practices for Security of IT
Systems from NIST - Standard of Good Practice from ISF
8 The devil is in the granular details that these
standards dont address
9Redefining the risk management paradigm
10Are we facing a cyber Pearl Harbor? Probably not
- More like a hurricane (s)
- Localized
- Potentially intense
- Affecting a community not necessarily defined by
geography
11The old approach
- Zero-based risk assessments
- Identified
- Vulnerabilities
- Threats
- Probabilities
12A new way of approaching risk
- Vulnerability-based
- Recognizes
- Common risks
- Shared or community risks
13A new vocabulary
- Common risks exposures that everyone who
operates a particular technology incurs - Shared risks damage that you can inflict on
others as a result of vulnerabilities in your
systems and vice versa
14The simple message
- You dont have to do a zero-based risk assessment
to know that you should deal with common and
shared risks
15Stop the BLEEDING first
16What are the business drivers
- In the private sector
- Tort liability
- Insurability
- Reputational risk
- Financial exposure
- In the public sector
- Mission
- Political risk/public confidence
17Emerging
18The Center for Internet Security (CIS)
- Formed in October 2000
- A not-for-profit membership consortium of users
- No commercial self interest
- Focused on the common needs of the global
Internet community - Knowledge transfer from haves to have-nots
- Prevent undue influence by commercial vendors
- Convene and facilitate consensus on detailed
operational best practices - Modeled after other community initiatives, e.g.,
transportation safety
19Responding to the challenge
- Need to develop and proliferate detailed
operational best practices - The only true solution is to raise the bar
everywhere--globally - Private sector wont trust govt to do it
- Private sector companies dont trust each other
because of competitive self-interest
20Some of the participants in the consensus effort
- Government
- National Institute of Standards and Technology
- Infocomm DevelopmentAuthority of Singapore
- Naval Surface Warfare Center
- US Treasury Financial Management Service
- Washington State Dept. of Health
- US Army Corps of Engineers
- Defense Info Sys Agency
- Federal Reserve System
- NASA
- Australian Natl Audit Ofc
- US Dept of Justice
- Library of Congress
- Royal Canadian Mounted Police
- Communications Security Establishment (Canada)
- Canadian CERT
- GSA
- NSA
- FBI/NIPC
- FedCIRC
- State of Maryland
21Participants (contd)
- Allegheny Energy
- Baltimore Gas Electric
- Pitney Bowes
- Component Graphics
- eScout.com
- Emprise Technologies
- REDW Technologies
- Educational Testing Svc.
- Financial Models Co.
- Agilent Technologies
- Shell Info. Tech. Intl
- PeopleSoft
- News Corporation
- Commercial
- Eastman Kodak
- Pacific Gas Electric
- SASKTel
- Lucent Technologies
- LGE Energy
- Hallmark
- Chevron
- Intel
- Vulcan Materials
- Mrs. Smiths Bakeries
- Caterpillar
- Intuit
- NCR
22More (contd)
- Finance/Insurance/Healthcare
- VISA
- Allstate
- First Union Corporation
- Natl Life Assurance Co of Canada
- U.S. Central Credit Union
- Union Bank of California
- City National Bank (LA)
- Baylor College of Medicine
- Swiss Reinsurance Co (SwissRe)
- Consulting/Service
- Permeo Technologies
- WorldPort (Ireland)
- Guardent
- Procinct Security
- Server Vault
- Grant Thornton
- Integralis Ltd (England)
- Solutionary
- Polivec
-
23More (contd)
- Universities
- Institute for Security Technology Studies at
Dartmouth - Virginia Tech
- Monash University (Australia)
- University of Alabama at Birmingham
- University of Missouri
- Blenkinge Inst. of Technology (Sweden)
- Utah State University
- University of California, SF
- New York University
- Consulting/Service
- PricewaterhouseCoopers
- Deloitte Touche
- ISS
- Symantec
- BindView
- Harris
- NetIQ
- VIGILANTe
- SecureNet Solutions
- Computer Sciences Corp.
24Auditing Participants
- Information Systems Audit and Control Association
(ISACA) - American Institute of Certified Public
Accountants (AICPA) - Institute of Internal Auditors (IIA)
25The consensus process
- Focus on real world user needs
- Form a team for each environment
- Dedicated email dialogue
- Conference calls
- Start with whatever best practice guidelines are
available - Refine via discussion revise until consensus is
reached - Produce a benchmark and a scoring tool
- Make them available free to everyone
26What has collaboration achieved so far?
27Currently available
- Level I Configuration Benchmarks
- Solaris
- Linux
- HP-UX
- Windows NT
- Windows 2000
- Cisco Router IOS
28Solaris 3.17 Turn on inetd tracing, or
disable inetd if possible Action cd
/etc/init.d if s /etc/inet/inetd.conf
then awk '/\/usr\/sbin\/inetd/ \ 1
"/usr/sbin/inetd -t" print ' inetsvc
gtnewinetsvc else rm f /etc/inetd.conf
/etc/inet/inetd.conf awk '/\/usr\/sbin\/inetd/
\ 1 "/usr/sbin/inetd -t" print '
inetsvc gtnewinetsvc fi chown rootsys
newinetsvc chmod 744 newinetsvc rm f
/etc/rc2.d/S72inetsvc ln s /etc/init.d/newinetsvc
/etc/rc2.d/S72inetsvc Discussion If the actions
in Section 2 of this benchmark resulted in no
services being enabled in /etc/inet/inetd.conf,
then we may as well disable the inetd service
completely on this system. In any event, it is a
good idea to make use of the "tracing" (-t)
feature of the Solaris inetd that logs
information about the source of any network
connections seen by the daemon. This information
is logged via Syslog and the administrator must
specifically configure the system to capture this
information (see Item 5.2 below).
29A Level I Benchmark
- Can be implemented by a sysadmin of any level of
security expertise - Can be monitored by a compliance tool
- Is not likely to break any function
- Represents a baseline level of security
30Currently available
- Gold Standard Benchmarks
- W2K Professional Level II
- W2K Server Level II
- CISCO Router IOS Level I/II
- Solaris Level I
31Currently available
- Configuration Scoring Tools
- Solaris
- Linux
- HP-UX
- Windows NT
- Windows 2000 Server
- Windows 2000 Professional
- Cisco Router IOS
32(No Transcript)
33Under development
- Benchmarks and Scoring Tools for
- Apache
- Windows IIS
- Catalyst Switches
- PIX Firewall
- Check Point FW-1
- Windows NT Gold Standard
- Oracle
- SQL Server
- Juniper Router
34Coming later
35Remember this quote?
- Through 2005, 90 percent of cyber attacks will
continue to exploit known security flaws for
which a patch is available or a preventive
measure known. - Gartner Group, May 6, 2002
36The good news Research concludes that 80-90 of
known vulnerabilities are blocked by the security
settings in the consensus benchmarks. There is
an abundance of low-hanging fruit we all can pick
to substantially reduce our risk of unauthorized
intrusion.
37Research methodology
- (1) Scan a system out of the box and list
identified vulnerabilities - (2) Configure the system with the appropriate
benchmark - (3) Rescan the system and note the
vulnerabilities remaining
38This case Study is available at www.cisecurity.org
39Another study (NSA)
Reduction 96 90 50
91
40- Yet another study (Mitre)
- Windows 2000 Professional Gold Standard
configuration reduced CVE vulnerabilities by 83
41IA Newsletter describing the NSA and Mitre studies
- Vol 5, Number 3, Fall 2002
- http//iac.dtic.mil/iatac/news_events/ia_newslette
r.htm
42Encouraging signs
- Federal govt adoption of CIS benchmarks and
tools - VISA adoption of CIS benchmarks for its
Cardholder Information Security Programs Digital
Dozen - Progress at the vendor level
- Dell
- Microsoft
43What you can do
- Adopt security best practices wherever you find
them The Center for Internet Security
benchmarks and scoring tools available free at
http//www.cisecurity.org - Focus your energies on matters unique to your
organization - Share your knowledge - Work with the user
community for everyones benefit the bad guys
communicate with each other shouldnt we?