technical control standards for security configuration developed via public / private partnership...
TRANSCRIPT
Technical Control Standards for Security Configuration
Developed Via Public / Private Partnership
Bert Miuccio, Vice President
The Center for Internet Security
Information Security Controls (NIST Pub 800-53)
Management Controls
Operational Controls
Technical Controls
Security Controls (NIST Pub 800-53)
Management Controls
- address the assessment and management of risk related to information systems
Security Controls (NIST Pub 800-53)
Operational Controls– address security risks and
recommendations primarily related to the people who use information systems (as opposed to the systems themselves)
– describe “what” to do in broad terms, and some times describe “when” and by “whom”
Security Controls (NIST Pub 800-53)
Technical Controls– define in detailed technical terms “how”
to implement the requirements of the higher level guidance within specific systems (operating systems, applications, devices / Microsoft, Sun, Cisco, Oracle, etc)
Current Information Security Guidance:• High level management controls-based guidance
- OECD and GAISP
• Mid-level operational controls-based guidance– ISO 17799
– FISMA
– CobIT (ISACA)
– Standards of Good Practice (ISF)
• Detailed technical controls guidance– CIS Consensus Benchmarks and Scoring Tools
– NSA, DISA, NIST, and security service / software vendors
Most vulnerabilities being exploited by attackers exist because of:
• Software defects
– Fixed with vendor patches
• Inadequate technical security controls
– Fixed by settings which enable or disable
security features of the software or network
device
Examples of security requirements/policies activated via technical controls
• Password length, complexity
• Account lockout after X attempts
• Log what system events?
• Idle time before workstation logoff
• Who is allowed to install printer drivers?
• What unneeded services to disable?
We have met the enemy, and it is us!
“Through 2005, 90 percent of cyber attacks will
continue to exploit known security flaws for
which a patch is available or a preventive
measure known.”
» Gartner Group, May 6, 2002
Why are vendors shipping unsecured systems?• “Our customers don’t want security; they want
features and performance. When they do want
security, we’ll deliver it.”
• “Every customer wants something different. We
can’t be expected to deliver and maintain
thousands of different configurations.”
Recognizing the challenge
• Cosmos Club meeting Aug 2000• Need to develop and proliferate detailed
operational best practices– The only true solution is to raise the bar
everywhere--globally– Private sector won’t trust gov’t to do it– Private sector companies don’t trust each other
because of competitive self-interest
The Center for Internet Security (CIS)
• Formed in October 2000• A not-for-profit consortium of users• Focused on the common needs of the global
Internet community– Knowledge transfer from haves to have-nots
• Convenes and facilitates consensus teams that develop detailed operational best practices
Some participants in the consensus effort:Government:• National Institute of
Standards and Technology
• Infocomm DevelopmentAuthority of Singapore
• Naval Surface Warfare Center
• US Treasury Financial Management Service
• Washington State Dept. of Health
• US Army Corps of Engineers
• Defense Info Sys Agency• Federal Reserve System• State of Maryland
• NASA• Australian Nat’l Audit Ofc• US Dept of Justice• Library of Congress• Royal Canadian Mounted
Police• Communications Security
Establishment (Canada)• Canadian CERT• GSA• NSA• DHS• FedCIRC
Some Participants (cont’d):Commercial:• Dun and Bradstreet• Electric Power Research
Inst.• SASKTel• Fidelity National Financial• LG&E Energy• Hospital Corp. of America• Duetsche Telekom T-Com• Intel• Bank of Montreal• Pfizer• Caterpillar• Intuit• Anadarko Petroleum • Batelle
• Swiss Reinsurance Company• University Health System
Consortium• Humana• Nu Skin Enterprises • Online Resources• Phelps Dodge Corporation• STERIS Corporation• Thomson Holdings• Wachovia Corporation• Agilent Technologies• Shell Info. Tech. Int’l• PeopleSoft• News Corporation
Some Participants (cont’d):
Universities:• Institute for Security Technology
Studies at Dartmouth• Virginia Tech• Monash University (Australia)• Duke University• University of Missouri• Blenkinge Inst. of Technology
(Sweden)• Utah State University• University of California, SF• New York University• Illinois Institute of Technology• College of William and Mary
Consulting/Service:• IBM Consulting• Configuresoft• ISS• Symantec• BindView• Sequation• NetIQ• Solutionary• RDA Corporation• Belarc• GFM Consulting
Vendors are fully engaged as team members, working alongside government and private sector users
• Microsoft
• Sun
• HP
• Cisco
• Oracle
• AOL
The consensus process
• Teams are formed with security experts from member organizations
• An initial benchmark draft is obtained or developed
• Consensus is established via email and conference call discussion
• A scoring tool is developed• They are made available free to all users globally
via the CIS website (www.cisecurity.org)
What has collaboration among the participants achieved so far?
Currently available:
• Level I Configuration Benchmarks
– Solaris
– Linux
– HP-UX
– Windows NT
– Windows 2000
– Windows XP
– Cisco Router IOS
– Oracle Database
A Level I Benchmark:
• Can be implemented by a sysadmin of any level of security expertise
• Can be monitored by a compliance tool• Is not likely to “break” any function
• Represents a baseline level of security
Currently available:
• Level II Benchmarks
– Windows 2000 Professional
– Windows 2000 Server
– Windows XP
– CISCO Router IOS Level
– Oracle Database
Currently available:
• Configuration Scoring Tools– Available for each Benchmark
– Scan only (don’t automatically change settings)
– Host based (not network scanners)
– Compare configuration of the scanned system with the corresponding benchmark, score it on a scale of 1-10
– Configure a newly deployed system and monitor configuration of the computers on which they are installed
Under development:
• Benchmarks and Scoring Tools for:– Apache– Windows IIS– Catalyst Switches– PIX Firewall– Check Point FW-1– Server 2003– SQL Server– Juniper Router– and others
The impact…
Case studies show that 80-90% of known vulnerabilities are blocked by the security settings in the consensus benchmarks…….
Case Study Methodology
• (1) Scan a system “out of the box” and list
identified vulnerabilities
• (2) Configure the system with the appropriate
benchmark
• (3) Rescan the system and note the
vulnerabilities remaining
Vulnerability Assessment Case studies
Study System Benchmark
% of Vuls
Eliminated
Solutionary W2K Server Level I 85
Citadel W2K Pro Level I 81
NSA W2K Pro Level II 91
Mitre W2K Pro Level II 83 (CVE)
Citadel W2K Server Level II 99
Citadel RedHatLinux Level I 100
IA Newsletter describing the NSA and Mitre studies
• Vol 5, Number 3, Fall 2002
• http://iac.dtic.mil/iatac/IAnewsletter/
Vol5_No3.pdf
NSA Red/Blue Team Conference Oct 2003
• These teams are the security experts whose job
is to discover weaknesses in DoD networks by
attempting to penetrate them
At that conference:
• During four days of trying, these security experts
were unable to break into a Microsoft Windows
network with up-to-date patches and configured
with the consensus benchmark technical controls
Milestones in the consensus benchmark effort
• Jul 02 – W2K Level-2 benchmark announced by NSA, DISA, NIST, GSA, SANS, and private sector participants
• Oct 02 - U.S. government begins promulgating consensus benchmarks and tools via FedCIRC
• Nov 02 – NSA reports that consensus benchmarks eliminate over 90% of known vulnerabilities
• Dec 02 - VISA adopts benchmarks for its Cardholder Information Security Program Digital Dozen
Milestones in the consensus benchmark effort (Cont’d)
• Jul 03 – Dell begins delivering Windows 2000
systems pre-configured with consensus benchmark
settings
• Sep 03 - U.S. Dept of Energy announces
procurement requiring Oracle to pre-configure its
software with the consensus benchmark settings
• Dec 03 – AOL requests a benchmark for its users
• June 04 – Dell will begin shipping configured XP
systems
Factors driving adoption of the consensus benchmark practices
• Private sector desire for liability protection via evidence of due care
• Regulatory compliance– SOX, HIPAA, GLB, FISMA, etc
• Incorporation in procurement req’ts by government and commercial buyers– Consensus on technical controls developed jointly
with users enables vendors to deliver systems that are more secure by default
How can you become involved?
• Download the Benchmarks and Scoring Tools.
• Use them to configure your new installations.
• Compare the configuration of your production systems.
How do your systems measure up?
• As necessary – improve your security configs.
• Share your feedback – contribute to the consensus.
How else can you be involved?
• Become a CIS member –
help develop and proliferate the consensus
benchmarks as common practice — thus
making the Internet safer for you and
everyone else.
Conclusions
• Using the benchmarks and scoring tools
available free at http://www.cisecurity.org
implements much of currently available high
level guidance (SOX, HIPAA, GLB, FISMA, etc)
• Users and vendors are working together to
improve security practice
• Detailed configuration practice offers
substantial payoff for the effort expended
Bert Miuccio
Important Background Information“The Benefits of Membership”
• The benchmarks & tools are periodically updated to
– reflect consensus input from security professionals
– keep pace with updated versions of the subject software
– include technical controls that help defend against
emerging threats and vulnerabilities
• The Terms of Use prohibit redistribution of the benchmarks
and software tools for the purpose of minimizing
redistribution of outdated versions of the resources.
TOU on the CIS web site
• Grant of Limited rights.
“CIS hereby grants each user the following rights, but
only so long as the user complies with all of the terms of
these Agreed Terms of Use:
– Except to the extent that we may have received
additional authorization pursuant to a written
agreement with CIS, each user may download, install
and use each of the Products on a single computer;”
“The Benefits of Membership”
• #2. The right to distribute the benchmarks
and tools within your organization. (User
Members and Consulting Members only are
entitled to this benefit)
Some problems with existing IS guidance
• Requirements at various levels of abstraction that are
– Structurally disconnected/fragmented
• Some focus on principles; others on controls
• Not readily scalable for different types and sizes of
organizations
• Developed and promoted by different professional
communities vying for position
– Different taxonomies and terminology
• Detailed technical controls have been largely ignored
Vendors Issue Patches – Users Don’t Apply Them
Forrester Research Report
April 3, 2003