•  

SEC566.2: Critical Controls 3,4,5 and 6

A session at Critical Security Controls Summit

Thursday 15th August, 2013

9:00am to 5:00pm (EST)

Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Default configurations of software are often geared to ease-of-deployment and ease-of-use and not security, leaving some systems exploitable in their default state. Attackers attempt to exploit both network-accessible services and client software using various forms of malware. Without the ability to inventory and control installed and running, enterprises make their systems more vulnerable. Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Configuration management tools can be employed to measure the settings of the installed software and to look for deviations from the standard image configurations used by the organization. To evaluate the implementation of Control 3 on a periodic basis, an evaluation team must move a benign test system (one that does not contain the official hardened image, but does contain additional services, ports, and configuration files changes) onto the network. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the changes to the software.

Critical Control 4: Continuous Vulnerability Assessment and Remediation

Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and launch it against targets of interest. Any significant delays finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through and gain control of vulnerable machines. A large number of vulnerability scanning tools are available to evaluate the security configuration of systems. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. All machines identified by the asset inventory system must be scanned for vulnerabilities. To evaluate the implementation of Control 4 on a periodic basis, the evaluation team must verify that scanning tools have successfully completed their weekly or daily scans.

Critical Control 5: Malware Defenses

Malicious software is an integral and dangerous aspect of Internet threats. It targets end users and organizations via Web browsing, e-mail attachments, mobile devices, and other vectors. Malicious code may tamper with a system's contents, capture sensitive data, and spread to other systems. To ensure anti-virus signatures are up-to-date, effective organizations use automation. They use the built-in administrative features of enterprise endpoint security suites to verify that anti-virus, anti-spyware, and host-based Intrusion Detection Systems (IDS) features are active on every managed system. They also run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections or do not have the latest malware definitions. The system must identify any malicious software that is either installed, attempted to be installed, executed, or attempted to be executed, on a computer system. To evaluate the implementation of Control 5 on a periodic basis, the evaluation team must move a benign software test program appearing to be malware onto a system and make sure it is properly discovered and remediated.

Critical Control 6: Application Software Security

Criminal organizations frequently attack vulnerabilities in both web-based and non-web-based application software. In fact, it's a top priority for criminals.

Application software is vulnerable to remote compromise in three ways:

It does not properly check the size of user input
It fails to sanitize user input by filtering out potentially malicious character sequences
It does not initialize and clear variables properly

To avoid attacks, internally developed and third party application software must be carefully tested to find security flaws. Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software. Another useful tool is manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The system must be capable of detecting and blocking an application-level software attack, and must generate an alert or send e-mail to enterprise administrative personnel. To evaluate the implementation of Control 6 on a monthly basis, an evaluation team must use a web application vulnerability scanner to test software security flaws.

About the speaker

This person is speaking at this event.
Dr. Eric Cole

Dr. Cole- cyber security professional, instructor, keynote speaker & expert witness. He is a senior fellow with SANS & security consultant. bio from Twitter

Sign in to add slides, notes or videos to this session

Tell your friends!

When

Time 9:00am5:00pm EST

Date Thu 15th August 2013

Short URL

lanyrd.com/scddhq

Official event site

www.sans.org/info/124742

View the schedule

Share

See something wrong?

Report an issue with this session