Friday 16th August, 2013
9:00am to 5:00pm
During day 3, we will cover Critical Controls 7, 8, 9, 10 and 11.
Critical Control 7: Wireless Device Control
Attackers who gain wireless access to an organization from nearby parking lots have initiated major data thefts. This allows attackers to bypass an organization to maintain long-term access inside a target. Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems. The system must be capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to its networks. To evaluate the implementation of Control 7 on a periodic basis, the evaluation team staff must configure unauthorized but hardened wireless clients and wireless access points to the organization's network. It must also attempt to connect them to the organization's wireless networks. These access points must be detected and remediated in a timely manner.
Critical Control 8: Data Recovery Capability (validated manually)
When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and datum from the backup are all intact and functional.
Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)
An organization hoping to find and respond to attacks effectively relies on its employees and contractors to find the gaps and fill them. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved. It can also help determine proper allocation of limited resources to improve security practices. The key to upgrading skills is measurement, not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite knowledge can be called upon to mentor the employees who do not. The organization can also develop training programs that directly maintain employee readiness.
Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Attackers penetrate defenses by searching for electronic holes in firewalls, routers, and switches. Once these network devices have been exploited, attackers can gain access to target networks, redirect traffic on that network (to a malicious system masquerading as a trusted system), and intercept and alter information while in transmission. Organizations can use commercial tools that will evaluate the rule set of network filtering devices, which determine whether they are consistent or in conflict and provide an automated check of network filters. Additionally, these commercial tools search for errors in rule sets. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies. To evaluate the implementation of Control 10 on a periodic basis, an evaluation team must make a change to each type of network device plugged into the network. At a minimum, routers, switches, and firewalls need to be tested. If they exist, IPS, IDS, and other network devices must be included.
Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
Attackers search for remotely accessible network services that are vulnerable to exploitation. Many software packages automatically install services and turn them on as part of the installation of the main software package. When this occurs, the software rarely informs a user that the services have been enabled. Port scanning tools are used to determine which services are listening on the network for a range of target systems. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each discovered open port. The system must be capable of identifying any new unauthorized listening network ports that are connected to the network. To evaluate the implementation of Control 11 on a periodic basis, the evaluation team must install hardened test services with network listeners on ten locations on the network, including a selection of subnets associated with DMZs, workstations, and servers.
Dr. Cole- cyber security professional, instructor, keynote speaker & expert witness. He is a senior fellow with SANS & security consultant. bio from Twitter
Sign in to add slides, notes or videos to this session