Home > General > Security Controls – Know ’em, Use ’em

Security Controls – Know ’em, Use ’em


I wanted to create a post to share with our readers the SANs top 20 controls. These are a set of ‘good practices’ that are aligned with the National Institute of Standards and Technology (NIST) and should be adopted by any business in order to manage their computers and networks more effectively. I feel they are outlined in order of importance and I would like to begin with the most important (Number 1). A full list of the top 20 controls are available at http://www.sans.org/critical-security-controls/ I will try to detail several of them over the next few blog posts.

  • Inventory of Authorized and Unauthorized Devices

The need to have a complete and up to date inventory of what is on your network is crucial to knowing how to stop the bad guys from getting in. You can’t fix it if you don’t know its broken and the same holds true with networking. Just because you cannot see it doesn’t mean it can’t connect to your computers, servers, wireless. Anything that can connect to your wired network must be inventoried and if you use a wireless network you should REALLY inventory any system that is connected to it.

Use an automated asset discovery system to audit all of your devices or do it manually but you must do it. Audit your Dynamic IP configuration tools and consider network level authentication in the case of wireless. You can also consider using Private Key Infrastructure (PKI) to manage the authentication of devices if they support it in order to effectively manage access.

  • Inventory of Authorized and Unauthorized Software

Equally as important as knowing about all the devices connected to your network is knowing about all the software running on those devices. Attackers are scanning any device that is connected to your Internet connection starting with your router and any services that you expose to the public facing Internet. Port forwarding remote administration tools, web servers, even ports that you are not aware of so know all of the connection methods that your equipment uses and if you have wireless networks you need to inventory all software. A wireless network that is not separated from your wired (primary) network exposes ALL of your devices and the software running on those devices.

Use software that controls what applications are allowed to run (whitelisting). Use host based firewalls and remove unnecessary software and services that you do not know or need. Only deploy software tools from a known source and verify file integrity using hashes wherever possible.

  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

In their default configurations, most equipment manufacturers do not focus on safe and secured deployments. Why would they – they want the device to work in ANY situation. They leave the implementation of security to you, the purchaser. If you do not learn to modify configurations for your environment you are exposing yourself to attack not only from outside agents but from within as well (this is especially true with Wireless). Scripts that can be run (intentionally or otherwise) when a user visits a webpage will often include default credentials in order to catch the low hanging fruit. Adding your own configuration parameters can help mitigate those risks.

Utilize a standard build for new computer systems and store them offline if possible. Establish a secure mechanism to deploy any new system over the network and ensure that new configurations adhere to policies that you create and maintain. Implement a file integrity check on all key configuration files and maintain a change management system to log any/all modifications.

  • Continuous Vulnerability Assessment and Remediation

As new features, devices are added and software, firmware change the need to monitor and manage vulnerabilities can grow exponentially. Failing to scan for and fix critical vulnerabilities can introduce risk to your organization during the time it takes to find and the patch your software and firmware flaws. Implement or contract for vulnerability assessment on a regular basis to ensure that nothing is missed. All it takes is one avenue for an attacker to penetrate your systems – you have to make sure that all of them are closed. Implement central logging in order to monitor system wide activity and reduce the chance that an attacker can remove his tracks.

Setup a patch testing lab if uptime is important – it will allow you to rate your risk level whenever delay is necessary in deploying patches. Implement an automated patching mechanism and monitor activity to review any errors.

  • Malware Defenses

Malware is any software, script or piece of code that is intended to damage, disable or circumvent normal use of a computer. It can be harmful, benign or helpful although the latter is rarely the case. Your need to prevent it from happening is now more important that ever before. The ability for AniVirus/Antimalware software to prevent this from ever happening to you is gone. Attackers can and do use obfuscation techniques to thwart your scanning software so don’t rely on it. On the contrary, make sure that you use one and keep it up to date. It can be useful to catch 50-80% of the infection attempts.

 Control/Limit the use of external devices and consider implementing network based Intrusion Detection systems on or in conjunction with your firewall. Log all domain name queries to help identify known command and control contact to malicious domains. Create and implement an incident response process that can be helpful in adding any out of band malware that is not currently being detected by scanning signatures.

These five top 20 controls will have the most effect in preventing breach and helping you mitigate risk on your network. I suggest that my clients subscribe to our management service in order to help monitor and manage their Windows/Apple/Android devices and when we are contracted to manage the entire LAN we will monitor and manage the remaining devices. This allows us to have logs from all of the computer devices and can help us find the primary errors in any organization.

For a more detailed event monitoring approach we suggest that they utilize a device that can be used to hold all event logs from any network system (syslog server). It also allows us to use file integrity monitoring on devices that have a key role in the organization. There are agents for most hardware that can be installed to manage the files, bandwidth, etc.

OSSIM Version

OSSIM Version

It uses a vulnerability scanner to help identify any potential attack vector so we can remedy it. It also has a trouble ticket software built in that can create tickets automatically whenever a set of configured criteria are met which include traffic analysis, breach information, new devices found, etc.

For those of you who have read this far and find yourselves without adequate protection in any/all of these areas I would encourage you to consider looking at the Alienvault line of products.

I feel security is like insurance – it’s better to have and not need than need and not have.

Categories: General Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: