•  

SEC566.4: Critical Controls 12, 13, 14 and 15

A session at Critical Security Controls Summit

Saturday 17th August, 2013

9:00am to 5:00pm (EST)

Overview

During day 4, we will cover Critical Controls 12, 13, 14 and 15.

Critical Control 12: Controlled Use of Administrative Privileges

The most common method attackers use to infiltrate a target enterprise is through an employee's own misuse of administrator privileges. An attacker can easily convince a workstation user to open a malicious e-mail attachment, download and open a file from a malicious site, or surf to a site that automatically downloads malicious content. If the user is logged in as an administrator, the attacker has full access to the system. Built-in operating system features can extract lists of accounts with superuser privileges, both locally on individual systems and on overall domain controllers. These accounts should be monitored and tracked very closely. To evaluate the implementation of Control 12 on a periodic basis, an evaluation team must verify that the organization's password policy is enforced and administrator accounts are carefully controlled. The evaluation team does this by creating a temporary, disabled, limited privilege test account on ten different systems. It then attempts to change the password on the account to a value that does not meet the organization's password policy.

Critical Control 13: Boundary Defense

By attacking Internet-facing systems, attackers can create a relay point to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi-layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network-based intrusion prevention systems and intrusion detection systems. Organizations should regularly test these sensors by launching vulnerability-scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day, which ensures log volumes are within expected parameters, are formatted properly, and have not been corrupted. To evaluate the implementation of Control 13 on a periodic basis, an evaluation team must test boundary devices. This is done by sending packets from outside a trusted network, which ensures that only authorized packets are allowed through the boundary. All other packets must be dropped.

Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs

At times, audit logs provide the only evidence of a successful attack. Many organizations keep audit records for compliance purposes but rarely review them. When audit logs aren't reviewed, organizations don't know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host-based systems. To evaluate the implementation of Control 14 on a periodic basis, an evaluation team must review the security logs of various network devices, servers, and hosts.

Critical Control 15: Controlled Access Based On Need to Know

Some organizations do not carefully identify and separate sensitive data from less sensitive, publicly available information within an internal network. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. This control is often implemented using the built-in separation of administrator accounts from non-administrator accounts. The system must be able to detect all attempts by users to access files without the appropriate privileges and must generate an alert or e-mail for administrative personnel. This includes information on local systems or network accessible file shares. To evaluate the implementation of Control 15 on a periodic basis, the evaluation team must create test accounts with limited access and verify that the account is unable to access controlled information.

CPE/CMU Credits: 6

About the speaker

This person is speaking at this event.
Dr. Eric Cole

Dr. Cole- cyber security professional, instructor, keynote speaker & expert witness. He is a senior fellow with SANS & security consultant. bio from Twitter

Sign in to add slides, notes or videos to this session

Tell your friends!

When

Time 9:00am5:00pm EST

Date Sat 17th August 2013

Short URL

lanyrd.com/scddht

Official event site

www.sans.org/info/124742

View the schedule

Share

See something wrong?

Report an issue with this session