which will reduce the chance of huge loss to the organization. No organization, regardless of market cap, is immune from
SECURITY ADVISORY ISSUE-3
SECURITY ADVISORY - ISSUE 3
PREVENTION IS BETTER THAN CURE… No organization, regardless of market cap, is immune from hacks…
Exploits 184 billion exploit detections 1.8 billion average daily volume 6,298 unique exploit detections 69% of firms saw severe exploits
Malware 62 million detections 677,000 average daily volume 16,582 variants in 2,534 families 18% of firms saw mobile malware
Botnets
We hear about new security threats everyday which create havoc in the Information Technology industry. A statistic on threats that span the kill chain from pre-attack reconnaissance (exploits) to weaponization (malware) to post-compromise command and control (botnets) as of Q2 2017 triggers questions in our mind: Are we are protected from such threats? How can we prevent our IT systems from getting compromised? When to act against the new threats? What should be the extent of security measures to prevent any loss to the organization? 5 years back only miniscule organizations were serious about security and most of the other organizations considered security to be a burden, a numb expenditure. In the recent years a noticeable amount of loss in the IT industry was reported as a result of security breaches. Information security breach made into the front pages of newspapers. Not only organizations, but individuals started bothering about the information security risk. Organizations realized that reacting post occurrence of an incident was not a good idea as the loss could be tremendous in no time, it could even be so serious that the organization might never recover back. Hence the IT industry started looking for a proactive approach which will reduce the chance of huge loss to the organization.
True Cyber security is preparing for what’s next? Not what was last?
2.9 billion botnet detections 32 million average daily volume 243 unique botnets detected 993 daily communications per firm Q2 2017, Threat by Numbers (Fortinet threat Landscape report Q2 2017
01
SECURITY ADVISORY - ISSUE 3
CIS CRITICAL SECURITY CONTROLS FOR EFFECTIVE CYBER DEFENSE Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Continuous Vulnerability Assessment and Remediation Controlled Use of administration Privileges
EFFECTIVE CYBER DEFENCE – THE CONTROLS In their white paper Back to Basics: Focus on the First Six CIS Critical Security Controls, SANS states that the biggest security gains against the most common threat vectors can be simply and inexpensively achieved by implementing Controls 1–6 Year after year, investigations performed after breaches and other security incidents reveal that the majority of security incidents occur because well-known security controls and practices were not implemented or were not working as organizations had assumed. Implementations of the first six CIS Critical Security Controls have proven to deliver a highly effective and efficient level of defence against the majority of real-world attacks and provide the necessary foundation for dealing with more advanced attacks.
Maintenance, Monitoring and Analysis of Audit Logs
Where to begin with?
Email and Web Browser Protections
Getting started is the most important step, and the Controls apply to nearly any enterprise—Sify can help!
Malware Defenses Limitation of control of Network Ports, Protocols and Services Data Recovery Capability
Try to answer and find where your organisation stands in basic cyber defence. Know What You Are Protecting
Secure Configurations for Network Devices Such as Firewalls, Routers and Switches
How many unauthorised software packages are running on the organisation computers? What percentage of organisation’s computers are running software white listing defences which blocks unauthorised software programs from running?
Boundary Defense Data Protection Controlled Access Based on the Need to Know
Define Secure Configuration Baselines
What percentage of Organization’s computers (Operating system and applications) are configured as per organization’s documented standards?
Continuously Monitor Vulnerability of Resources
What is the comprehensive Common Vulnerability Scoring System (CVSS) vulnerability rating for each of your organisations critical systems?
Limit and Monitor Administrative Privileges
Have you baselined privileged user behaviour, monitored for outliers, and defined a process to audit high priority anomalies based on predefined thresholds?
Continuous Monitoring/Situational Awareness
Nothing stands still, do you continuously monitor & are you aware of situation across your IT organisation?
Wireless Access Control Account Monitoring and Control Security Skills Assessment and Appropriate Traning to Fill Caps Application Software Security Incident Response and Management Penetration Tests and Red Team Excercises Top 20 Crical Security Controls defined by CIS ( Version6.1)
How many unauthorised / unknown computers are currently connected to organisation network?
02
SECURITY ADVISORY - ISSUE 3
ASSET INVENTORY – FOUNDATIONAL ELEMENT OF SECURITY PROGRAM Keeping an integrated and well maintained Asset Inventory Database with the proper inputs and outputs can serve as a foundational element in any comprehensive security program. The first step in most computer attacks is reconnaissance so the attackers can understand the network. At the heart of the first two controls is an asset inventory database. The Asset Inventory Database contains information about what (software, applications, etc.) is running and where (devices). Many items in the Asset Inventory Database can be discovered through automated scanning. Once identified through the automated scanning process, additional information can be added such as asset owner, relationships to other assets, maintenance contracts, support numbers, external access requirements and application criticality. The database can then be used as a checkpoint to determine whether a running device or application is authorized. Alerts or reports can be produced indicating unexpected behaviour when a device or application is running which is not in the database. Action can then be taken on these alerts investigating and mitigating, if required, the unexpected application or devices to reduce risk.
DEFINING SECURE CONFIGURATION BASELINES With an accurate inventory in place, the next step is evaluating the configuration of endpoints against configuration standards. Hardening your computer or application is an important step in the fight to protect your personal data and information. This process works to eliminate means of attack by patching vulnerabilities and turning off inessential services. Hardening a computer involves several steps to form layers of protection. This approach to safer computing is often called defence in depth. Good computer security is about finding the right balance between hardening your system against potential threats and maintaining usability. Much of this is captured in three simple concepts: Ensure a system’s security configurations are appropriately set, given the job it needs to do Ensure operating system software, firmware and applications are updated to stay ahead of exploits that attack flaws in the underlying code Ensure this process runs continually, leveraging and employing as much automation as possible
DEFINING SECURE CONFIGURATION BASELINES Network and device hygiene are perhaps the most neglected elements of security today. As of Q2-2017, a full 90% of organizations recorded exploits for vulnerabilities that were three or more years old. Even 10+ years after a flaw’s release, 60% of firms still see related attacks. Through 2020, zero-day vulnerabilities will play a role in less than 0.1% of attacks in general, excluding sensitive government targets. Vast majority of attacks that are successful exploit well-known vulnerabilities. Zero-day attacks are what people tend to worry about, but it’s not a typical case. It’s important that security teams combat existing vulnerabilities and ensure basic security is effective. Note: Zero-day flaws are unpublished vulnerabilies typically not known by software developers. 03
SECURITY ADVISORY - ISSUE 3
A continual assessment is required for identifying new weakness and taking action to remediate the found vulnerabilities.
Figure 3 - PREVALENCE OF VULNERABILITIES TARGETED BY EXPLOITS. GROUPED BY CVE RELEASE YEAR AND COLORED BY SEVERITY RATING (Trend by Fornet Threat Landscape Report Q2 2017)
Vulnerability Assessment and Penetration Testing (VAPT) comes hand in help for such continual assessment In short, Penetration Testing and Vulnerability Assessments perform two different tasks, usually with different results, within the same area of focus. Vulnerability assessment tools discover which vulnerabilities are present, but they do not differentiate between flaws that can be exploited to cause damage and those that cannot. Penetration tests find exploitable flaws and measure the severity of each. Together, penetration testing and vulnerability assessment tools provide a detailed picture of the flaws that exist in an application or a system and the risks associated with those flaws.
Patch Management Today more than ever, a timely patch management response to vulnerabilities is critical to maintain the operational availability, confidentiality, and integrity of IT systems. Patches are usually released for three reasons: To fix faults in an application or operating system. Many hacker attacks are based on exploiting faults in the computer code of applications and operating systems. Patches are also released to correct performance or functionality problems. To alter functionality or to address a new security threat. An example of this is new virus definitions for an antivirus application. There was nothing “wrong” with the code of the antivirus program, but it had to be updated to detect new viruses that did not exist when the application was first released. To change or modify the software configuration to make it less susceptible to attacks and more secure.
04
SECURITY ADVISORY - ISSUE 3
KEEP AN EYE ON ADMINISTRATIVE PRIVILEGES The majority of criminals are not using valuable zero-day exploits to penetrate corporate networks: they’re phishing privileged account credentials from executives and IT staffs, or simply guessing passwords for automated service accounts and, in turn, exploiting that access to gather valuable information. Zero-day vulnerability are so valuable that attackers apply them in a very limited way. A compromised privileged account is the difference between a perimeter breach and a cybersecurity catastrophe. It only takes one compromised privileged account for an attacker to perform malicious activity.
How to approach this rapidly growing challenge of privileged user account abuse: See our 5 suggestions on Privileged Identity Management
Click Here for Previous Advisory
CONTINUOUS MONITORING & SITUATIONAL AWARENESS In the era of disruptive technology, nothing stands still. IT transforms, new assets are plugged into organisation’s network every day and new softwares are introduced every moment. New threats and attack surface from nowhere. Situational awareness is key for security teams to focus on deploying resources in the most effective and efficient areas to meet business security needs. The terms ‘continuous’ and ‘ongoing’ in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk based security decisions to adequately protect organization information. Data collection, no matter how frequent, is performed at discrete intervals. Establish and measure meaningful security metrics Monitor those metrics frequently enough to minimize incident impact Take action rapidly, efficiently and effectively to improve overall security
CONCLUSION Before anything else, preparation is key to success – Alexander Graham Bell Identify your organizations critical assets, baseline its configurations, identify critical vulnerability, apply relevant patches, identify and protect privileged identities and efficiently monitor in continuous term.
05
SECURITY ADVISORY - ISSUE 3
SIFY OFFERING Fortknox Service delivers a comprehensive review and assessment of a current security environment. It addresses the requirement of first six controls of CIS Top 20 controls. Security exposures and risks are identified within a customer's network and system using industry standard tools. It gives the customer the benefit of an outside security review of their environment which analyzes and measures their level of security versus industry standards and best practices.
OS Hardening
IDS Port Scan
Executive Summary Report
VA
Secure Fortknox
Security Patching
Firewall Review
Syslog
Configuration Check
Web PT
PT
FORTKNOX SERVICE DELIVERABLES OS Hardening: Making an operating system more secure as per the standard practices and recommendations IDS Monitoring: A network based IDS to monitor Internet traffic to systems in scope and alert critical traffic found suspicious in near real time. Port Scanning: Probe a server or host for open ports. Vulnerability Assessment: Process of identifying and quantifying vulnerabilities in a system Syslog Monitoring: The system logs are collected and analyzed every day to find critical alerts in near real time. PT: Is a proven method of evaluating the security of computing networks and applications by simulating a malicious attack. Web Vulnerability Assessment and Penetration Testing: Performed to discover and enumerate the weaknesses associated with the web application exposed to the public domain Configuration Checks: Providing an ongoing server assessment and checks. Firewall Conduit Review: It is an Audit of vulnerable policies on firewall. Patch Management: Ensuring system security of Windows Operating System by applying relevant patches. Executive Summary Report: An Executive dashboard about the server security posture with recommendations and records for further action to improve security posture of critical systems. 06
Sify Technologies Limited II Floor, TIDEL Park, No.4, Canal Bank Road, Taramani, Chennai - 600 113, India. Phone: +91 44 2254 0770-77 | Fax: +91 44 2254 0771 Email:
[email protected] Website: www.sifytechnologies.com
