Joint Written Project (JWP) Assignment

spongereasonInternet και Εφαρμογές Web

12 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

131 εμφανίσεις







Joint Written Project (J
WP) Assignment






Automating Crosswalk between SP 800
,

the 20
Critical Controls
, and the Australian Government
Defence Signals Directorate’s
35 Mitigating
Strategies




GIAC Enterprises





Authors
:

Ahmed Abdel
-
Aziz

Robert

Sorensen

February
2012



Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

2



Table of Contents


1. EXECUTIVE SUMMARY

................................
................................
................................
......................

3

2. INTRODUCTION

................................
................................
................................
................................
....

4

3. RELATIONSHIP BETW
EEN SP 800, 20 CRITI
CAL CONTROLS, AND TH
E AUSTRALIAN
GOVERNMENT DSD’S 35
MITIGATI
NG STRATEGIES

................................
................................
....

5

3.1

SP

800

................................
................................
................................
................................
.................

5

3.2

20

C
RITICAL
S
ECURITY
C
ONTROLS

................................
................................
................................
......

5

3.3

A
USTRALIAN
G
OVERNMENT
D
EFENCE
S
IGNALS
D
IRECTORATE

S
35

M
ITIGATING
S
TRATEGIES

.........

8

4. DEVELOPING APT
-
FOCUSED SECURITY GUI
DANCE STRATEGY

................................
.........

8

4.1

A
DVANCED
P
ERSISTENT
T
HREATS
(APT
S
)

................................
................................
...........................

8

4.2

R
ISK
-
BASED
A
PPROACH

................................
................................
................................
......................

9

5. AUTOMATION APPROA
CH FOR

CRITICAL CONTROLS 15

AND 17

................................
......
12

5.1

E
XPLOITING THE
A
BSENCE OF
C
RITICAL
C
ONTROLS
15

AND
17

................................
..........................
12

5.2

F
OCUSING ON THE
D
ATA

................................
................................
................................
.....................
12

5.3

E
STABLISHING A
R
ISK
-
BASED
DLP

P
ROGRAM

................................
................................
....................
13

5.4

A
UTOMATING
D
ATA
C
LASSIFICATION AND
P
OLICY
D
EFINITION

................................
.........................
14

5.5

A
UTOMATING THE
C
ONTROL OF
D
ATA
-
IN
-
M
OTION

................................
................................
............
16

5.6

A
UTOMATING THE
C
ONTROL OF
D
ATA
-
AT
-
R
EST
/D
ATA
-
IN
-
U
SE

................................
..........................
18

6. AUTOMATION APPROA
CH FOR CRITICAL CONT
ROLS 4 AND 5

................................
..........
22

6.1

E
XPLOITING THE
A
BSENCE OF
C
RITICAL
C
ONTROLS
4

AND
5

................................
..............................
24

6.2

F
OCUSING ON THE
APT
S
,

AND THE
T
HREAT
V
ECTORS
THROUGH
C
ONTINUOUS
M
ONITORING

..........
24

6.3

C
ONTROL
4

-

A
UTOMATING
C
ONTINUOUS
V
ULNERABILITY
A
SSESSMENT AND
R
EMEDIATION

..........
26

6.4

C
ONTROL
5

-

A
UTOMATING
C
ONTINUOUS
M
ONITORING OF
M
ALICIOUS SOFTWARE AN
D MAL
WARE
CALLBACKS
.

................................
................................
................................
................................
..............
30

7. RECOMMENDED RISK
-
BASED ACTION PLAN

................................
................................
............
33

8. REFERENCES

................................
................................
................................
................................
........
35

9. APPENDIX

................................
................................
................................
................................
..............
40

A
PPENDIX
A:

FIPS

PUB

200

-

S
PECIFICATIONS F
OR
M
INIMUM
S
ECURITY
R
EQUIREMENTS

.....................
40

A
PPENDIX
B:

M
APPING BETWEEN THE
20

C
RITICAL
S
ECURITY
C
ONTROLS AND
N
ATIONAL
I
NSTITUTE OF
S
TANDARDS AND
T
ECHNOLOGY
S
PECIAL
P
UBLICATION
800
-
53,

R
EVISION
3,

P
RIORITY
1

I
TEMS

.............
44

A
PPENDIX
C:

M
APPING BETWEEN THE
20

C
RITICAL
S
ECURITY
C
ONTROLS AND THE
A
USTRALIAN
G
OVERNMENT
D
EFENCE
S
IGNALS
D
IRECTORATE

S
35

M
ITIGATION
S
TRATEGIES

................................
.....
46




Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

3


1. Executive Summary



GIAC Enterprises is a small to m
edium sized growing business (1,000 employees)
with two data centers and 200 people in central business and IT. The GIAC Enterprises
Fortune Cookie sayings are a closely guarded secret and have come under attack from
competitors in the past. Recently, a s
ecurity expert from a respected consultancy gave a
briefing on a topic titled
,

“Operation Shady RAT,” that outlined a scenario where many
corporations and government organizations were compromised routinely over a period of
five years

(Alperovitch, 2011).

This has prompted

our organization to examine key

security investments, come up with sound advice regarding security strategy
,

and how to
implement that strategy.


In making this recommendation, we reached out
for

guidance included in widely
recognized in
formation security fram
eworks. Our analysis showed SANS’ Consensus
Audit Guidelines (CAG) reinforces and prioritizes some of the important elements put
forth in U
.
S
.

government documentation such as NIST SP 800
-
53.
Furthermore, portions
of the CAG are rei
nforced by

the Australian
Government Defen
c
e Signals Directorate’s
(DSD) 35 strategies to mitigate targ
et
ed cyber intrusions.

After
reviewing the direct
mapping between the 20 critical controls and NIST SP 800
-
53
,
and DSD’s 35 strategies,
we adopted a sec
urity guidance strategy that is based on

or designed to counter

A
dvanced
P
ersistent
T
hreats (APTs). APTs currently pose significant risks to GIAC Enterprises,
and it is likely the situation will stay that way for the foreseeable future. Therefore, our
risk
-
based security guidance strategy

is information focused and

gives special
attention

to
four security controls, which are geared well for attacks with APT characteristics. The
four security controls are: 1) Controlled Access based on the Need
-
to
-
Know
;
2)
C
ontinuous Vulnerability Assessment and Remediation
;
3) Malware Defenses
; and
4)
Data Loss Prevention (DLP).


We have devised automation approaches for these four controls to facilitate
implementing them. We argue that more attention is needed to secure th
e data, and have
proposed a model for a DLP program. Therefore, we have developed an automation
approach for data classification and DLP policy definition. This was followed by
automation approaches to control data
-
in
-
motion, data
-
at
-
rest, and data
-
in
-
use
.
We knew

that for
an

attack to succeed
, it will

need to exploit

a
vulnerability.

That is why we also
focused

on reducing our
attack surface

by developing an automation approach for
continuous

vulnerability assessment and remediation
,

as well as

malware de
fenses.



Finally
,
our research ends with a recommended action plan for GIAC Enterprises.
The objective of this action plan is to take the organization from its current security state,
to the desired security state, in a step
-
by
-
step fashion.

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

4


2. Introd
uction

Advanced Persistent Threat
s

(APT
s
) (Andress, 2011)! Operation Shady RAT
(Lau, 2011)! These are terms or references that just a few years ago would not have
raised an eyebrow. Today, they are well known and often overused buzzwords.
However, that

does

not

change the nature of the threat that they have exposed. From the
highly visible case of “Operation Aurora
,
” where Google, Adobe, and dozens of other
companies came under attack in 2009 and 2010 from sources believed to be in China
(Mc
Clure
, 2010
)
,

to the sophistication and stealth of the compromise of RSA intellectual
property (Coviello, 2011), major corporations have come under attack. What is to
prevent your enterprise from suffering the same fate?


As reported in the Second Qualys annual repo
rt, modern
-
day attackers employ
organized, well written, and highly sophisticated exploit code to do their deeds (Dausin,
2010). To assist in counteracting the many assaults, one needs to take proactive steps to
manage risk and exposure. Guidance to help

mitigate this
risk

has been provided as a
result of
multiple initiatives. Examples of such initiatives are:
Federal Information
Security Management Act (FISMA)
,

the 20 Critical Security Controls
, and the Australian
Government Defen
c
e Signals Directorate’s

(DSD) 35 Mitigating Strategies
. A
n
informative

explanation follows to describe the relationship and synergy between the
se
specific

three

initiatives
.


In an effort to maximize the benefit of these initiatives with minimal resources,
one m
ust

target a sub
set of controls to initially implement. This idea of initially targeting
a subset of controls
was proven

successful

by the Australian DSD, which will be covered
in more detail.

This research is based on

a similar
targeting
approach
; however
,

the
subset
of
controls selected is

a subset of the 20 Critical Controls.

The development of a security
guidance strategy for GIAC Enterprises, as well as automation approaches for that
strategy will be explored in detail.

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

5


3.

Relationship between SP 800
,

20 Critical Co
ntrols
, and
the Australian Government DSD’s 35 Mitigating
Strategies

3.
1

SP 800


Title III of the E
-
Government Act of 2002 (P.L. 107
-
347), authorized the Federal
Information Security Management Act (FISMA),
was designed to
strengthen information
security
government

wide (E
-
Government Act of 2002). The National Institute of
Standards and Technology (NIST) was task
ed

to develop, document, and implement an
organization
-
wide program to provide security for the information systems that support
its operations a
nd assets. The result was the establishment of the FISMA Implementation
Project in January 2003 (FISMA Implementation Project
, 2009
). One of the key
publications that came from this effort is SP 800
-
53
-

Recommended Security Controls
for Federal Informat
ion Systems and Organizations (SP 800
-
53 Revision 3
, 2010
). This
is designed to cover the steps in the Risk Management Framework that address security
control selection for federal information systems in accordance with the security
requirements in Federa
l Information Processing Standard (FIPS) 200. This standard
specifies the minimum security requirements in seventeen security
-
related areas and all
federal agencies must be in compliance with this standard (FIPS

PUB

200, 2006, p. v).


There are specificat
ions outlined for the minimum security requirements

which
can be found in Appendix A:

FIPS
PUB
200

-

Specifications for Minimum Security
Requirements (FIPS
PUB
200, 2006, p. 2
-
4).

As noted, SP 800
-
53 is currently in its third revision. It will continue t
o be updated
to reflect the current state of information security to include guidance concerning
i
nsider
threats;
s
oftware application security;

s
ocial networking
;

mobile devices
;

cloud
computing;
c
ross domain solutions;
a
dvanced persistent threat;
s
upply
chain security;

Industrial/process control systems; and
p
rivacy (Smith, 2011).

3.2 20 Critical Security Controls



In early 2008, as a response to the extreme data losses experienced by leading
companies in the U
.
S
.

defense industrial base, a consortium o
f federal agencies and
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

6


private organizations developed Version 1.0 of the Consensus Audit Guidelines that
define the most critical security controls to protect federal and contractor information and
information systems (Baseline Standard of Due Care for Cy
bersecurity, 2009).

This effort has continued to evolve
,

and the 20 Critical Security Controls, Version
3.1, was release
d

in October 2011 (Consensus Audit Guidelines Version 3.1, 2011). The
effectiveness of this document is based on the knowledge of ac
tual attacks and the
defensive techniques that are most important to counteract them. Contributors include
(CAG, 2011, p. 8):

Consensus Audit Guidelines Contributors

1)

Blue team members inside the Department of Defense (DoD) who are often called
in when mi
litary commanders find their systems have been compromised and who
perform initial incident response services on impacted systems.

2)

Blue team members who provide services for non
-
DoD government agencies that
identify prior intrusions while conducting vul
nerability assessment activities.

3)

US Computer Emergency Readiness Team staff and other nonmilitary incident
response employees and consultants who are called upon by civilian agencies and
companies to identify the most likely method by which systems and n
etworks
have been compromised.

4)

Military investigators who fight cyber crime.

5)

The FBI and other law enforcement organizations that investigate cyber crime.

6)

Cybersecurity experts at US Department of Energy laboratories and federally
funded research
and development centers.

7)

DoD and private forensics experts who analyze computers that have been infected
to determine how the attackers penetrated the systems and what they did
subsequently.

8)

Red team members inside the DoD tasked with finding ways of

circumventing
military cyber defenses during their exercises.

9)

Civilian penetration testers who test civilian government and commercial systems
to determine how they can be penetrated, with the goal of better understanding
risk and implementing better d
efenses.

10)

Federal CIOs and CISOs who have intimate knowledge of cyber attacks.


The 20 Critical Controls include 15 controls that can be continuously monitored
and validated at least in part in an automated manner and five that must be validated
manuall
y (CAG, 2011, p. 9
-
10).

Critical Controls subject to automated collection, measurement, and validation:

1)

Inventory of Authorized and Unauthorized Devices

2)

Inventory of Authorized and Unauthorized Software

3)

Secure Configurations for Hardware and Softw
are on Laptops, Workstations, and
Servers

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

7


4)

Continuous Vulnerability Assessment and Remediation

5)

Malware Defenses

6)

Application Software Security

7)

Wireless Device Control

8)

Data Recovery Capability (validated manually)

9)

Security Skills Assessment
and Appropriate Training to Fill Gaps (validated
manually)

10)


Secure Configurations for Network Devices such as Firewalls, Routers, and
Switches

11)


Limitation and Control of Network Ports, Protocols, and Services

12)


Controlled Use of Administrative Privil
eges

13)


Boundary Defense

14)


Maintenance, Monitoring, and Analysis of Security Audit Logs

15)


Controlled Access Based on the Need to Know

16)


Account Monitoring and Control

17)


Data Loss Prevention

18)


Incident Response Capability (validated manually)

19)


Secure Ne
twork Engineering (validated manually)

20)


Penetration Tests and Red Team Exercises (validated manually)



As described in the document, there is a direct relationship to the U
.
S
.

Federal
Guidelines
:


The 20 Critical Controls are meant to reinforce and pri
oritize some of the
most important elements of the guidelines, standards, and requirements
put forth in other US government documentation, such as NIST Special
Publication 800
-
53, SCAP, FDCC, FISMA, manageable network plans,
and Department of Homeland Secu
rity software assurance documents.
These guidelines do not conflict with such recommendations. In fact, the
guidelines set forth are a proper subset of the recommendations of NIST
Special Publication 800
-
53, designed so that organizations can focus on a
sp
ecific set of actions associated with current threats and computer
attacks they face every day

(CAG, 2011, p. 12).



The direct mapping between the 20 Critical Security
C
ontrols and NIST Special
Publication 800
-
53, Revision 3, Priority 1
i
tems can be fou
nd in Appendix
B
.

The U.K. Centre for the Protection of National Infrastructure (CPNI)
recently

released a new guidance document detailing the Top Twenty Critical Security Controls.
These provide a baseline of high
-
priority information security measures
and controls that
can be applied across an organization in order to improve its cyber defense.

CPNI is
participating in an international government
-
industry effort to promote the top twenty
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

8


c
ritical controls for computer and network security which is bein
g coordinated by the
SANS Institute (Continuity Central, 2012).

3.3

Australian Government Defen
c
e Signals Directorate’s 35
Mitigating Strategies


In 2010, the Australian Defen
c
e Signals Directorate (DSD) developed a list of 35
prioritized mitigation stra
tegies to defend networks and systems from cyber attack based
on the study of all known targeted intrusions against government systems, and articulated
what would have stopped the infections from spreading. The DSD updated and
reprioritized this list in 2
011 and determined that at least 85% of the targeted cyber
intrusions could have been prevented by following the top four mitigation strategies.
Because of this ground
-
breaking directive of focusing on the top four controls and
implementing them, they rec
eived the 2011 U.S. National Cybersecurity Innovation
Award (SANS Press Release, 2011). The top four specific controls (nicknamed the
“sweet spot”) are:

1)

Patch applications such as PDF readers, Microsoft Office, Java, Flash
Player and web browsers;

2)

Patch o
perating system vulnerabilities;

3)

Minimi
z
e the number of users with administrative privileges;

and

4)

Use application whitelisting to help prevent malicious software and
other unapproved programs from running.


The DSD’s 35 Mitigating Strategies focus on indiv
idual tasks organizations can
undertake to improve their security stance. They are a focused subset of the 20 Critical
Controls with a direct mapping detailed in Appendix C: Mapping between the 20 Critical
Security Controls and the Australian Government
Defen
s
e Signals Directorate’s 35
Mitigation Strategies (CAG, 2011, pp
.

72
-
75).

4.
Developing APT
-
focused
Security Guidance Strategy

4.1 Advanced Persistent Threats (APT
s
)


In the past few years, intelligence agencies and computer security vendors have
begu
n using the term Advanced Persistent Threat
s

(APT
s
) to describe a series of cyber
-

based attacks. The term
,

APT
s
,

typically describes a foreign nation state government with
the advanced capability and persistence to commit cyber espionage
(Binde, 2011).

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

9


Pu
blicly, we have seen a majority of companies in every industry deal with significant
and costly attack vectors. In January 2010, the source code and intellectual property of
Google and at least 20 other companies in the high
-
tech industry and defense indu
strial
base were targeted and compromised during

Operation Aurora


(McClure, 2010).
In
November 2009,

Operation Night Dragon


included a series of coordinated and targeted
attacks against the
global oil and gas

companies

(Shook, 2011).
Most recently,
i
n the


Operation Shady RAT
"

described attack, around

70 corporations and government
organizations were compromised routinely over a period of
5

years

(Alperovitch, 2011).

The above attacks included several commonalities. Routinely, the attackers used
previ
ously unknown attack vectors known as zero
-
day attacks.
Unsuspecting

users
opening email attachments or browsing malicious websites introduced these attacks into
the victim network.

Additionally, all of these attacks relied upon a remote command and
contro
l channel to steal the data out of the infected networks. In most cases, the victims
compromised were eventually discovered only after virus researchers discovered the
attacker’s command and control servers

(Command, 2011).

4.2


Risk
-
based

Approach

From S
ANS’ point of view, focusing on the 20 Critical Controls will help an
organization be prepared for the most important actual threats that exist in today’s world
.

The 20 Critical Controls help organizations

make better use of their limited security
resource
s, by using a
prioritized set of overarching security

controls.
GIAC Enterprises
will highly benefit from fully ad
opting the 20 Critical Controls;

however
,

fully adopting
these Critical Controls will take considerable time.

Therefore, we argue that
GIAC E
nterprises would benefit most if it takes a risk
-
based approach to initially implement only a subset of the 20 Critical Controls that
address its highest risk
s first
.
Afterwards, the remaining 20 Critical Controls can be
implemented.
It is our belief that
due to the nature of GIAC Enterprises’ business, and
being the world’s largest supplier of Fortune Cookie sayings, it
s intellectual property is a

target for theft. This makes
APT
s
-
related risks the highest
at this point of time

for GIAC
Enterprises. T
he in
itial focus should be on mitigating such risks. The next step of the
strategy is to apply the “offen
s
e
-
informs
-
defense” concept to determine which subset of
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

10


controls
is

better geared t
o mitigate APT
s
-
related risks.

To determine the appropriate
subset of co
ntrols, one would highly benefit from tapping in to the collective experience
of the 20 Critical Controls’ contributors
, who

are responsible for
responding to actual
attacks or conducting red team exercises (CAG, 2011
, pp. 8
-
9
). Based on the
contributors’
first
-
hand knowledge of real world attacks and associated defenses, the
contributors included a table of attacks mapped to the most directly related control.
That
table represents the

foundation for sele
cting a subset of controls, which is based on the
“of
fense
-
informs
-
defense” concept.


R
eviewing the
A
ttack
T
ypes
table
included in the
20 Critical Controls
Consensus
Audit Guidelines’
A
ppendix

(CAG, 2011
, pp. 76
-
77
)
, it is clear t
hat four

attacks
stand out
as having APT characteristics
.

The same table sugges
ts which critical c
ontrol is most
appropriate for that attack. The four attacks and the related controls
are included in the

table

below
:


Attack Summary

Most Directly Related Control

Attackers exploit new vulnerabilities on
systems that lack critical pat
ches in
organizations that do not know that they are
vulnerable because they lack

continuous vulnerability assessments and
effective remediation

Critical Control 4:

Continuous
Vulnerability
Assessment and Re
mediation

Attackers use malicious code to gain a
nd
maintain control of target machines,

capture sensitive data, and then spread it to
other systems, sometimes wielding

code that disables or dodges signature
-
based
anti
-
virus tools

Critical Control 5:

Malware Defenses

Attackers gain access to sensitive d
ocuments in
an organization that does not properly identify
and protect sensitive or separate it from non
-
sensitive information

Critical Control 15:

Controlled Access Based on the
Need
-
to
-
Know

Attackers gain access to internal enterprise
systems to gathe
r and exfiltrate
sensitive
i
nformation
,

without detection by the
victim organization.

Critical Control 17:

Data Loss Prevention (DLP)


The methodology described above for selecting a subset of controls led to the
selection of Critical Controls 4, 5, 15
,

an
d 17.
A proper analysis would not be complete
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

11


without comparing this subset of controls to a statistically proven subset of controls

such
as the one

recommended by the Australian DSD. The Australian DSD determined that at
least
85% of targeted cyber intrus
ions

could be prevented by implementing four specific
controls:

1.

Patch applications such as PDF readers, Microsoft Office, Java, Flash
Player
,

and web browsers;

2.

Patch operating system vulnerabilities;

3.

Minimize the number of users with administrative privil
eges; and

4.

Use application white
-
listing to help prevent malicious software and other
unapproved programs from running
.


It is the authors’ opinion that
the subset of controls selected actually resonates with
the Australia DSD recommendation
:



Australia’s D
SD Controls 1
and

2 are in

line with selecting Control 4
“Continuous Vulnerability Assessment and Remediation
;




Australia’s DSD Control 3 is in

line with selecting Controls 15
and

17 “Controlled Access Based on Need
-
to
-
Know, and DLP
;


and



Australia’s DSD C
ontrol 4 is in

line with selecting Control 5
“Malware Defenses
.



It is imperative that
GIAC Enterprises protect its

sensitive data
-
intellectual
property. The risk
-
based methodology used
resulted in a subset of controls which are
rather unique in that the
y are
information
-
focused
, and not identical to statistically
supported work such as

the
systems
-
focused

Australia DSD. Based on GIAC Enterprises’
need,

and the recent shift in attention from securing networks, to securing systems, to
securing the data its
elf (CA
G
, 2011),

we

argue
that GIAC
Enterprises

would benefit more
from adopting our recommended subset of controls.

Perhaps future work based on this
research may prov
ide evidence that this approach is more effective in securing
intellectual property.

The
refore
,

the subset of the 2
0 Critical Controls

to

implement first

for GIAC
Enterprises

are
:

C
ontrols

4
,
5
, 1
5
,
and
1
7
.
These controls lend themselves to automation,
and so the next sections of the paper will highlight some automation approaches for these
c
ontrols.

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

12


5.
Automation Approach for Critical Controls
15

and

1
7

Critical
C
ontrols
15

and 1
7

of the 20 Critical Controls state that data access is to be
controlled, and
access to data should be
on a need
-
to
-
know basis. In addition, data loss
prevention capa
bilities should be in place. Going back to the “offen
s
e
-
informs
-
defense”
theme, one needs to
first
understand how attackers exploit the absence of these controls,
before attempting to automate

them
.

5.1 Exploiting the Absence of Critical Controls
15

and

1
7

Organizations often do not carefully identify and separate sensitive information
from publicly available information on their information systems. Because there is no
such separation between the two different types of information, internal users will have

access to all or most of the sensitive information. This makes it easy for attackers who
have penetrated the network to find and exfiltrate the sensitive information.

What
compounds the problem further is that
an

organization may not be monitoring data
ou
tflows to quickly detect such exfiltration. While some information is leaked as a result
of theft or espionage, the vast majority of such problems occur from poorly understood
data practices, lack of effective policy, and user error

(CAG, 2011
, p. 60
). T
he

loss of
control over sensitive information
(
such as cookie say
ings intellectual property)

is a
serious vulnerability, and introduces a high risk to GIAC Enterprises.

5.2
Focusing on the Data

Over the last few years, there has been a noticeable shift in at
tention and
investment from securing the network
to securing

systems within the network, and to
securing
the data

itself

(CAG, 2011).
To be a
ble to
secure the sensitive data
, one needs to
know what constitutes
sensitive data
. Two main types of

sensitive d
ata

exist:
Regulatory
Data
, and Corporate Data.







Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

13





Regulatory Data is found in many organizations. It takes the same form regardless
of which organization it is stored. On the flip side, Corporate Data is usually uniq
ue data
that differs from one organization to
an
other. The unique property of Corporate Data
makes it more challenging to identify, control, and secure. The intellectual property of
GIAC Enterprises

(cookie sayings)

falls into the Corporate Data type of se
nsitive data.

Controlling sensi
tive data ca
n take place when the data is at

rest

(e.g.
,

data storage),
when the data is in motion

(e.g.
,

network actions
), and when the data is in use (e.g.
,

endpoint actions
)
.
To facilitate controlling sensitive data, GIAC
Enterprises need to
establish a proper
D
ata
L
oss
P
revention (DLP) program.




5.3 Establishing a Risk
-
based DLP Pr
ogram

There are many publications in the market about how complex and expensive
(DLP)
projects
can get if not pro
perly handled. It can be argued
,

a primary reason for
such perception
,

is

a

lack of importance to people and process

in DLP projects. Rather
than considering DLP as a point product, one can benefit from considering DLP a
Control
Data
-
at
-
Rest

Control
Data
-
in
-
Motion

Control
Data
-
in
-
Use



Credit card data



Privacy data (PII)



Health care information

Sensitive
Regulatory Data



Intellectual property



Financial information



Trade secrets

Sensitive
Corporate Data

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

14


technology that helps build
process
es

to prevent
people

from leaking sensitive data.
To
establish a proper DLP program for GIAC Enterprises,
the following three
-
phased

model
is suggested:



Whether sensitive data is being controlled at rest, in use or in motio
n, this three
-
phased model will be used. The first step is to better understand risk by

identifying
sensitive data through a discovery process
.
The
r
isk d
iscovery

phase

can occur while data
is in use, in motion, or at rest
. The next step is where risk star
ts to be mitigated through
education of both end

users and risk teams. Finally, risk mitigation reaches its peak by
enforcing effective security controls that don’t get in the way of business productivity.

5.4 Automating

Data Classification

and

Policy Def
inition

For GIAC Enterprises, the cookie sayings intellectual property is the data that
needs to be controlled. As described earlier, this represents sensitive data of type:
Corporate Data
.
For technology to

identify sensitive data through a discovery pro
cess,
it
needs to understand what sensitive data is. It would be optimum to just tell technology

that

sensitive data is any cookie saying; unfortunately, it is not that simple. If cookie
sayings one day become part of Regulatory Data (
e.g
.
,

credit card num
ber)
, then
technology can easily understand that cookie sayings are sensitive data.




Risk
a
cross th
e
Infrastructure


DISCOVER

EDUCATE

ENFORCE

DLP Program Lifecycle Management

(driven by risk
-
based
policies)

?

Understand Risk

Reduce Risk

End Users & Risk Teams

Security Controls

RISK

Time

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

15


Data classification
(defining data sensitivity)

is a complex task
,

because only the
business owners know this information. The sensitivity of cookie sayings, as well as
oth
er data, is dynamic and often varies by business function and time.

It is a challenge for
security teams to define what data is sensitive and how it should be handled according to
policy. The logical approach is to involve the line of business in the proce
ss of data
classification and policy definition, but involving line of business is not trivial. An
effective way to address this challenge is by enabling the business owners to directly
define what data is sensitive

(or what criteria makes data sensitive)
,

and how the sensitive
data should be handled. To automate this challenge, a portal with a workflow engine can
be used to

complete the operation. This type of automation can be achieved by
Governance, Risk, and Compliance

(GRC)

tools,

if these tools are
in
tegrated with the
DLP technology being used. One example of such a solution is the RSA DLP Policy
Wo
r
kflow Manager illustrated below:






It is important to point out that this stage is not about using a tool to go around and
l
oca
te sensitive data all across

the organization. This stage is merely defining what is it
that we should look for, and when we find what we are looking for, how should

it

be
handled. This stage is about defining criteria and rules, and not about scanning.

The
output of this stage is a set of risk
-
based DLP policies such as the following:


Step
1

Identify files &

set
business rules

+

Step 2

Create DLP Policy &

check for feasibility


Step 3

DLP Policy is routed for
approval





Step 4

Approve
d

DLP
policy


End
Users

DLP
Admin

Business
Managers

Poli
cy applied across the organization

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

16



Data sensitivity is one of three key elements constituting the risk level

for a DLP
policy
. For sake of simplicity, GIAC Enterprises can initi
ally start with only two
classification levels: sensitive, and publ
ic. In the future, the classification levels can
possibly be extended to three levels:
S
ecret, private, and public.

A

properly integrated
DLP and GRC solution represents an abstraction laye
r for the line of business to define
technical DLP policies
. These policies will then be used to control data in motion, at rest,
or in use
.

This DLP and GRC integrated

solution is technology that is helping to

fill the
undesired
gap of people and process

in DLP

projects.

Using such an automation approach for data classification and
DLP
policy
definition can
reduce
the duration of these activities from weeks to days
. This section

helps

to automate

s
ub
-
c
ontrol
15.1, and lays the foundation for automating mo
st sub
-
controls of Critical Controls 15 and 17 (CAG, 2011
, p. 55
).

5.5

Automating the Control of Data
-
in
-
Motion

P
eople and process elements of
DLP projects
are often ignored. To address these
two elements
when
automating the
control

of

data in motion, GIA
C Enterprises needs to
follow this process:

1)

I
nitially understand the risk of data
-
in
-
motion

across the various protocols

(Monitor

only)
;

2)

J
ust
-
in
-
time education can be introduced to users to mitigate risk

(Monitor
and Educate);
and



BLOCK

AUDIT

ENCRYPT

QUARANTIN
E

JUSTIFY

MOVE

DELETE

SHRED

RMS (DRM)

COPY

NOTIFY

ALLOW

User Action

Data Sensitivity

User Identity


LOW

HIGH

Enforce
S
ecurity
C
ontrols
B
ased on the
R
isk of a
V
iolation


Defined
in DLP
Policy


Manual

or

Automated

RISK

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

17


3)

I
n the enforcement
phase
, an

action such as automating encryption of
s
ensitive data can be implemented. Also in the final phase, unauthorized
encrypted data can be blocked to mitigate the exfiltration of sensitive data
that was encrypted by APTs

(Automate Action)
.




The following scenario is
an example of just
-
in
-
time education when controlling
data
-
in
-
motion
:
A GIAC Enterprises employee just sent out an email containing a
sensitive cookie saying. When the network traffic is scanned by the DLP syste
m, an alert
is sent to the employee saying the email they just sent
possibly violates

GIAC Enterprises
intellectual property policy.
The alert would also include the policy itself and why this
email represents a violation.
The employee is then given the op
tion

(in figure

below
)

of
sending the email

because they are sure this is not a policy violation
, or not send
ing
the
email at all.
The action is logged, and the employee is educated just
-
in
-
time. If
the
employee face
s

a similar experience in the future, th
e employee will likely
m
ake a better
decision
,

and therefore
,

reduce GIAC Enterprises’ risk level.




This section helps to automate sub
-
controls 17.2, 17.3, 17.5, 17.6, 17.9, 17.10

(CAG, 2011, pp. 61
-
62)
, and 15.4 (CAG, 2011
, p. 55
).





Risk A
cross:

web protocols, emails, IM,
generic TCP/IP protocols


DISCOVER

(Data
-
in
-
Motion)

EDUCATE

(Data
-
in
-
Motion)

ENFORCE

(Data
-
in
-
Motion)

?

(Monitor Only)

Understand R
isk


Users Just
-
in
-
Time


Encryption, Blocking,

etc.

Time



(Monitor & Educate)




(Automate
Action)



Reduce Risk

Process to Reach Automation (Data
-
in
-
Motion)

RISK

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

18



5.6

Automating the
Control of Data
-
at
-
Rest/Data
-
in
-
Use

At this stage, as well as

the earlier stage of controlling data in motion, sensitive
data has been identified

using techniques highlighted in section 5.4
. Where the sensitive
data is,
who has access to it,
and
how it is
being used is still not clear

at this point in time
.

The risk exposure is therefore unknown. When these questions are answered, the risk
exposure becomes
known
.

The focus of this section is
to fix that by
addressing how to
answer

these
important questions
in an automated manner.
Moving on with the sam
e
theme
(
giving more attention to the p
eople and process elements of DLP projects
)
, GIAC
Enterprises needs to follow this process for automating the control of data
-
at
-
rest and
data
-
in
-
use:

1)

U
nderstand the risk
of data
-
at
-
rest

in all data stores. This requires scanning al
l
data stores to identify where sensitive data is located. The tools available for this

vary

from open source tools such as OpenDLP, to commercial DLP tools. Once
the location of sensitive data i
s identified, the next step is to know who has access
to
sensitive

data, and whether they have a need
-
to
-
know.

This

other scanning
operation

is often performed usin
g a different set of tools, some

of which
are free

and gather ACLs of files

and folders

on n
etwork shares

such

as ShareEnum
. Other
tools may be built
-
in and monitor file activities, such as the
Windows
aud
it
logging capability for files

(
Scanning
)
;


2)

Just
-
in
-
time education can be introduced to users to mitigate risk

assoc
iated with
sensitive data
.

As line
-
of
-
business becomes more educated, proper data
governance policies can be defined

(Monitor and Educate)
; and


3)

In the enforcement phase,

data governance policies can be implemented to further
reduce risk. An

action such as automating encryption of
sensitive data

at rest

can
be implemented. Also in this

final phase,
integration of DLP with

other
technologies, such as

Digital Rights Management (DRM)
tools

can be leveraged
.
An integration example would be
the
automatic
application of DRM controls

on
se
nsitive data

when DLP senses the data is being copied to

an external drive
(Automate Action)
.

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

19




For GIAC Enterprises, the cookie sayings intellectual property is likely scattered all
across the organization.
At this stage, the

line of business has defined what sensitive data
is and that is incorporated into DLP policies. The security/risk team now knows what it is
they
are

look
ing

for.
The scanning operations that take place in the discovery phase of the
above process will answ
er two important questions
: 1)
W
here is the sensitive data
?
;
a
nd

2)
W
ho has access to it?

The answers to these two questions will help GIAC Enterprises
understand the risks associated with sensitive data

(
cookie sayings
)

at rest and in use.

It is
definite
ly a challenge to locate sensitive data out of terabytes of data spread across
multiple sites.
In fact, it resembles

trying to locate

gems in extremely long sandy shores.
Luckily
,

technology is available to overcome this problem, even in massive
e
nvironmen
ts.
Scanning technology of commercial DLP vendors can transform existing
servers into a powerful cluster to scan terabytes of data in parallel with no additional
hardware. Using temporary software agents, sensitive data is identified in multiple
repositori
es such as file servers, endpoints, databases, and collaborative environments
such as Microsoft SharePoint. Monitoring incremental changes

to data repositories

is
possible to facilitate scanning on a regular basis. By bringing the scanning software to the
data, and not vice versa, it is possible to scan massive amounts of data without saturating




Risk across

Data
Permissions
and Stores:

File shares, databases,
endpoints, repositories,
etc.


DISCOVER

(Data
-
at
-
Rest/
-
in
-
Use)

EDUCATE

(Data
-
at
-
Rest/
-
in
-
Use)


ENFORCE

(Data
-
at
-
Rest/
-
in
-
Use)


?

(Scanning
)

Understand Risk


Users Just
-
in
-
Time


Data governance
policy: Encryptio
n,
DRM, Block, Shred, Log,
etc.

Time


(Monitor & Educate)


(Automate Action)



Reduce Risk

Process to Reach Automation (Data
-
at
-
Rest/
-
in
-
Use)

RISK

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

20


the network.

The figure below illustrates the architecture used to perform sensitive data
discovery

in a
multi
-
site environment, with multiple data repositories
:



After using technology

in the discovery phase

to answer where sensitive data is,
one has a better understanding of risk. However, u
nderstanding the risk

is only the first
half of the story
. The second half is risk remediation

an
d it is not trivial
.


The second half of the story
(
risk remedia
tion for sensitive data at rest)

is around
defining the appropriate data governance policy and applying it so that files with
sensitive data content are properly protected. However, encrypti
ng a file, moving it to a
more secured repository, or changing its permissions without involving the end users of
the file in the process can have a negative impact on any organization. The proper way to
address this challenge is to involve the line of bus
iness in the remediation process. The
benefit of this is that proper data governance policies can be defined for cookie sayings
and the business is not negatively impacted. The drawback is the duration of the risk
remediation process can significantly incr
ease with emails, phone calls,
and spreadsheets
going

back and forth between the security/risk team and the line of business

to properly
protect a large number of files located all around GIAC Enterprises
.

The drawback described earlier is a workflow chall
enge, and can be

overcome
using a proper risk management workflow module that automates risk remediation. This

Databa
se








Software
Agents

DLP Administrator

Main Data
Center

Secondary
Data Center

Remote
Offices

SharePoint

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

21


type of automation can
be achieved by GRC
tools; e
specially if these tools are integrated
with the scanning tools used
to discover sensitive data
, permissions, and file activity. The
module would enable the security/risk team to send remediation options and
questionnaires about the business context in an automated manner to the business owners.
This empowers the business users to take appropriate d
ecisions about the sensitive files
they own.

An example
is the RSA DLP Risk

Remediation Manager

(RRM)

solution

as
follows:



Using such an automation approach for risk remediation of data
-
at
-
rest, can take
down the duration time

of these activities from months to weeks.

The benefit of the
automation approach is twofold:



The automation will allow just
-
in
-
time education to the line
-
of
-
business,
which will facilitate the definition of the data governance policy, and
improve future
actions
; and




The automation

will significantly reduce the remediation time for
data
governance
policy violations

without negative business impact. This
represents increasing the efficiency of a reactive control, and reduces the
window of opportunity for
APTs.






Data L
oss
Prevention (DLP

SharePoint

Databases

Endpoints

NAS/SAN

Agents

Temp Agents

Grid

Virtual Grid

File Servers

Risk Remediation
Manager (RRM)

RRM

File Activity
Tools

GRC

Systems

Apply DRM

Encrypt

Delete / Shred

Change Permissions

Policy Ex
ception


Business Users

Discover Sensitive Data

Manage Remediation
Workflow

Apply
Controls

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

22


This section helps to automate sub
-
controls 15.2, 15.3, 15.5, 15.6, 15.7

(CAG,
2011, pp. 55
-
56)
, 17.4, and 17.7 (CAG, 2011
, p. 61
).

6. Automation Approach
for Critical Control
s
4

and

5

Critical controls 4 and 5 of the 20 Critical Controls state atta
ckers exploit new
vulnerabilities on systems that lack critical patches and use malicious code to gain control
of target system which could allow for the capture of sensitive information such as
cooking sayings from GIAC Enterprises.

To fully understand wh
at controls are best suited for the prevention and mitigation
of APTs, one first needs to understand the attack vector typically used.

Malware innovations have been driven by attackers’ quest to gain increasing
control of compromised systems and the netw
orks in which they reside. In a recent
White paper sponsored by Imperva entitled, ‘
Advanced Persistent Threat: Are You the
Next Target?
,
’ a nice diagram detailing the anatomy of an APT attack is presented

as
follows
(Bitpipe.com 2011)
:



Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

23



Considering the

dynamics of the advanced malware infection lifecycle, the
following illustrates another commonly adopted infection approach (Damballa, 2011)
:




1)

Victim surfs to a website or clicks on email with link (
e.g.

phishing, drive
-
by
download)
;

2)

Browser is redi
rected to a malicious dropper site
;

3)

Victim is misled into downloading the dropper
-

or dropper is automatically
downloaded through an exploit
;

4)

Dropper unpacks on the Victim machine and runs
;

5)

Drop
per contacts a new site: UPDATE;

6)

UPDATE sends C
ommand
&C
ontrol

(C&C) instructions;

7)

Dropper contacts C&C Site
#1 with Victim identity details;

8)

C&C Site #1 sends encrypted malware with new C&C instructions.


Might eve
n
be ‘locked' to Victim machine;

9)

Malware is decrypted by Dropper and installed.


Dropper may stay behin
d as false
evidence for investigators, or delete itself so that investigators believe

that no
infection has occurred; and

10)

Malware contacts C&C Site #2. Sends passwords/data/etc. as encrypted payload.


Steps 8, 9
,

and 10 can repeat indefinitely, with t
he malware ‘evidence' and C&C
connection instructions changing constantly.


The malware can be repurposed or told to
lay silent for prolonged periods of time.




As one can deduce from the above description of APTs, the client is the primary
target of
the attackers. Through the use of social engineering, targeted spear phishing
emails are sent to known key users in an organization. A carefully crafted email entices
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

24


an unsuspecting victim to click on a malicious attachment that is enhanced to appear as

a
typical file the user expects from the spoofed sender.

Control 4 was chosen to help block the above threat vector by focusing on client
-
based authenticated vulnerability scanning to include the presence or absence of key
patches and quickly remediate an
y found vulnerabilities. Control 5 was chosen to

reduce
and remediate the effect malware has on
APTs.

6.1 Exploiting the Absence of Critical Controls 4
and

5


Any time new vulnerabilities are discovered and reported by security researchers
or vendors, att
ackers are quick to develop exploit code and immediately launch the
attack. Delays in finding or patching software with exploitable vulnerabilities provides
ample opportunity for persistent attackers to gain the critical foothold in the enterprise.
Witho
ut thoroughly scanning for vulnerabilities and addressing discovered flaws
proactively, leaves one open to system compromises. Also, malicious software is used to
target end users via web browsing, email attachments, mobile devices, and other vectors.
Th
is code attempts to capture sensitive data, spread
s it

to other systems
,

as well as aim
s

to avoid signature
-
based and even disables anti
-
virus tools running on systems (CA
G
,
2011, pp. 23
-
26). John Pescatore, a distinguished Gartner analyst
,

said at a rece
nt
Gartner Security
and

Risk Management Summit, “There is no such thing as the
unstoppable attack in cybersecurity.

Every attack, in order to succeed, needs to exploit
avulnerability” (infosecurity.com, 2011). Without having a means to detect or prevent
malicious software from being installed and then establishing a command and control
channel, introduces risk to GIAC Enterprises that is unacceptable.

6.2

Focus
ing

on the APTs, and the Threat Vectors

through
Continuous Monitoring


Whether attackers use v
iruses, Trojans, bots
,

or rootkits, today’s malware is
designed for the long
-
term control of compromised
client
machines. Advanced malware
also established outbound communications across several different protocols to upload
collected data and further dow
nload of malware payloads for additional criminal
purposes. One of the keys to protecting sensitive data is through the means of continuous
monitoring. This can include the aspect of verifying that systems are not susceptible to
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

25


well
-
known exploits throu
gh vulnerability assessments and being diligent in patch
management.


The Risk Assessment (RA
-
3) and Vulnerability Scanning (RA
-
5) guidance
provided by NIST conforms to this concept. As shown in the
workflow
diagram below,
an assessment of risk is perform
ed, document risk, review results, and then update risk
assessment. In regards to vulnerability scanning, a similar diagram is presented with a
continual cycle of scanning for vulnerabilities, analyzes of scan reports, remediate
legitimate vulnerabilities
, correlate and share results to reduce systemic weaknesses or
deficiencies (SP 800
-
53 Revision 3, 2010, pp. F92
-
93).












Conduct
Vulnerability
Scans

Analyze
Vulnerability

Scan Reports

Correlate and share
results to reduce
systemic
weaknesses or
deficiencies.

Remediate
Legitimate
Vulnerabilities

Conduct
Assessment of
Risk

Document Risk
Assessment
Results

Review and
Update Risk
Assessment

Workflow
1

-

Risk Assessment

W
orkflow 2


Vulnerability Scanning

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

26





Continuous monitoring is a crucial element in the Risk Management Framework
developed by NIST. NIST’s recently released SP 800
-
137, “Information Security
Continuous Monitoring for Federal Informa
tion Systems and Organizations
,
” defines
continuous monitoring as “maintaining ongoing awareness of information security,
vulnerabilities, and threats to support organizational risk management decision” (SP 800
-
137,
2011, p. vi). In addition, an organizat
ion’s overall security architecture and
accompanying security program are monitored to ensure that organization
-
wide
operations remain within an acceptable level or risk, despite any changes that occur.
Recent guidance from the Office of Management and Bu
dget on FISMA reporting
emphasizes monitoring on an ongoing basis rather than periodic assessments (Jackson,
2011).

6.3


Control 4
-

Automating Continuous Vulnerability
Assessment and Remediation


Considering that any APT
s

always starts with a compromised

system that was
vulnerable, a means to understanding what vulnerabilities exist and what patches are
available to remediate them is critical.
This is where GIAC Enterprises can take positive

steps to protect and isolate themselves from easily

prevented
c
lient
-
based exploits.
Research indicates that a limited number of exploits in just a handful of widely used
third
-
party applications are responsible for nearly all successful enterprise malware
infections on Windows clients. According to research release
d last September by the
research firm CSIS Security Group, a three
-
month study of real
-
time attack data showed
that as many as 85% of all virus infections occurred as a result of automated drive
-
by
attacks created with commercial exploit ki
t
s, and nearly a
ll of them targeted the five
popular third
-
party applications


Java Runtime Environment (JRE), Adobe Flash, Adobe
Acrobat and Reader, Internet Explorer, and Apple QuickTime (Kruse, 2011).
This
research provides additional credence to the focus of the Aus
tralian DSD findings.


Automated vulnerability scanning should run on all organizational assets on at
least a weekly basis. Anytime a new system is introduced to the network, a scan should
automatically occur. In addition, authenticated scans of known s
ystem type
s

should
occur. For example, an administrative account should be established on all windows
-
based systems and the vulnerability scans should incorporate the privilege of this account
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

27


when performing scans. This can be part of an enterprise solu
tion incorporating agent
-
based clients to facilitate the scans.


Scanning tools should scan for specific functionality, ports, protocols, and
services
that should not be accessible to users or devices and for improperly configured
systems. More important
ly, modern scanners should determine if key operating system
as well as third
-
party applications patches are applied

Mobile code technologies such as
Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript should be clo
sely monitored, and perhaps, even restricted. Malware targeting
vulnerabilities in application layer
software
, as those mentioned above, needs to be
restricted by ensuring all application software is at the most current release. Perhaps it is
time to ban

these dangerous third
-
party applications
,
as editorialized by Eric Parizo,
Senior Site Editor of SearchSecurity.com (Parizo, 2012)? If not completely ban the use
of third
-
party applications, consider implementing security controls such as removing
Java f
rom the Internet zone in Internet Explorer, configuring Adobe Reader to prompt for
JavaScript execution, or disallowing embedded executables from running in PDFs.
Research by Dan Guido and the Exploit Intelligence Project has proven these steps to be
the
most efficient

(Guido, 2011).

These vulnerabilities should be expressed in an industry
-
recognized vulnerability,
configuration, and platform classification schemes
. Also, l
anguages such as Common
Vulnerabilities and Exposure (CVE) naming convention that u
se
s

the Open Vulnerability
Assessment Language (OVAL) to test for the existence of vulnerabilities. Other
excellent resources for vulnerability information can be found in the Common Weakness
Enumeration (CWE) and the National Vulnerability Database (NVD)
.


Correlating the existence of known vulnerabilities that can be easily remedied by
appropriate patching must be integrated into this process.
By applying the known trifecta
associated with quality vulnerability scanning

and remediation
, GIAC Enterpris
es can hit
the ‘Sweet Spot’ to further reduce and eliminate easily exploitable holes.


Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

28





By reducing or eliminating known security risks in the computing environment,
GIAC Enterprises needs to follow this process for automating this critical control

by:

1)



Implement an automated approach to patching by utilizing solutions such as
Microsoft Windows Update Service (WSUS) or other

commercial management
software

for operating system and third
-
party software on all systems
;

2)



Identify, analyze, and remedia
te vulnerabilities by implementing an effective
continuous vulnerability assessment program.
All vulnerability scanning should
be performed in authenticated mode either with agents running locally on each
system to analyze the security configuration or wi
th remote scanners that are
given administrative rights on the client systems being tested;

3)


Scanning tools should be tuned to identify changes over time on each client
machine for both authorized and unauthorized services. This will assist in
detecting

backdoors that might have been created on a compromised system;

and

4)


Enlist senior management to provide effective incentives in the mitigation
process

by tracking the numbers of unmitigated,
critical

vulnerabilities for each
group
.



One known commercia
l example of this is from

Tenable Network Security, Inc.,
(
who

recently announced its Nessus Vulnerability Scanner and SecurityCenter
)

which
now integrate
s

with top patch management solutions
,

including Red Hat Network
Satellite Server, Microsoft Windows S
erver Update Services (WSUS), Microsoft System
Center Configuration Manager (SCCM), and VMware Go. The integration bridges the
gap between vulnerability management and patch management solutions
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

29


(darkReading.com, 2011). This is a very viable solution to
GIAC

s concerns of
preventing malicious software from entering their enterprise. It is critical to have a
strong vulnerability management and patch management strategy.


In addition, they

recently published a white paper entitled
,


Real
-
Time Auditing
fo
r SANS Consensus Audit Guidelines


Leveraging Asset
-
Based Configuration and
Vulnerability analysis with Real
-
Time Event Management’
(Gula
,

Fennelly, 2011). This
paper describes how
their

solutions can be leveraged to achieve compliance with the
SANS Con
sensus Audit Guidelines (CAG) by ensuring that key assets are properly
configured and monitored for security compliance. It is interesting to note how
it

can
assist in the focus of Control 4. The following table referenced from the aforementioned
white p
aper outlines the effectiveness in helping GIAC Enterprises in this critical
application of reducing the exposed footprint for virus and malware attacks.


4
. Continuous Vulnerability Assessment and Remediation


Interpretation

It is important to monitor
systems for vulnerabilities in as close to
real

time as possible. Penetration tests can discover vulnerabilities in
the IT infrastructure, but they are only a snapshot in time. A system
that is scanned one day and found to be free of vulnerabilities may
be

completely exploitable the next day.

Tenable
Solution

Tenable was founded on the belief that it is crucial to monitor
systems in a manner as close to real

time as possible to ensure the
organization does not drift out of compliance over time. The great
er
the gap between monitoring cycles, the more likely it is for
vulnerabilities to be undetected. To achieve this goal, Tenable offers
several technologies that can be leveraged:

>
Nessus can perform rapid network scans. A typical vulnerability
scan can t
ake just a few minutes. With the SC, multiple Nessus
scanners can be combined to perform load balanced network scans.

>
Nessus credential scans can be leveraged to perform highly
accurate and rapid configuration and vulnerability audits.
Credentialed scan
s also enumerate all UDP and TCP ports in just a
few seconds.

>
The
Passive Vulnerability Scanner (
PVS
)

monitors all network
traffic in real

time to find new hosts, new vulnerabilities
,
and new
applications. It scans for the same vulnerabilities

detected
by the
Nessus scanner.



Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

30


This section helps to automate sub
-
controls 4.1, 4.2, 4.3, 4.4, 4.6, 4.7, and 4.8
(CAG, 2011, pp. 23
-
24).

6.4

Control 5
-

Automating Continuous Monitoring of Malicious
software and malware callbacks.


According to the most recent

security threat report that Sophos published, they
reported that they analyzed 95,000 malware pieces every day, nearly doubling the amount
tracked the prior year. This accounts for one unique file every 0.9 seconds, 24 hours per
day, each day of the year

(Sophos, 2011).


Attackers have developed ways to bypass outdated security techniques, such as
signatures, leaving businesses and consumers vulnerable to attack. Signature
-
based
technologies like IPS and antivirus software, both within perimeter and endp
oint
solutions, are increasingly ineffective against this rapidly evolving, blended threat. In
fact, Bob Walder from Gartner reported, “Some IPS/IDS/Next
-
Generation firewalls
(NGFW) vendors are no better at handling evasions today than they were when they

released their original products” (Walder, 2010).


A common denominator to any malware delivery system is the human element.
Quoting

from the book,
Information Security Management Handbook, Sixth Edition
, “It
is well recognized that the greatest informat
ion security danger to any organization is not
a particular process, technology, or equipment, rather it is the people who work within
the “system” that hide the inherent danger” (Tipon, Krause, 2007, Ch. 43).
An educated
work force is also critical to co
mbating malware.


With the sophisticated approach used by modern attackers to inject malware in an
organization, it is almost impossible to prevent systems from being compromised
. A

p
rocess
has to be in
place to implement an incident response
for

when mal
ware is
detected. This process has to be timely in order to quickly contain any infections that
have occurred. The efficiency of modern malware to gather propriety information and
transmit it back via
encrypted channels is too alarming to ignore. A comp
romised system
has to be removed from the network as soon as possible through detection methods,

then
eradicated

and
recovered following best
-
practice
incident response
procedures
.

NIST, in
2005,
introduces Special Publication 800
-
83
‘Guide to Malware Inc
ident Prevention and
Handling’. This publication provides recommendations for improving an organization’s
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

31


malware incident prevention measures. It also gives extensive recommendations for
enhancing an organization’s existing incident response capability
so that it is better
prepared to handle malware incidents (
Mell,

2005).




With the primary challenges business
es

are facing today of zero
-
day and APT
attacks, GIAC Enterprises needs to follow this process for automating, and thus, reducing
the risk of d
ata loss through malware infections by:

1)


Implement basic and necessary malware protection. This includes both
perimeter and endpoint solutions for Intrusion Prevention Systems (IPS) as well
as antivirus
/antimalware

protection. Even though these typical
signature
-
based
solutions are increasingly not as effective, it still will prevent many infections
from occurring. Host
-
based IPS (HIPS) can and should be implemented as
another layer of protection. This can prevent known

malware from infecting
systems;

2)



Train and educate users in the art of recognizing social engineering tactics.
Conduct simulated, but real
-
world scenarios, such as sending targeted spear
phishing email with a payload that reports successful ins
tallation back to IT
management;

3)


Config
ure laptops, workstations, and servers
s
o that they will not auto
-
run
content from USB, CD/DVDs, Firewire or other externally connectable sources;

4)


Deploy network access control tools to verify security and patch
-
level
compliance before granting access to

network;

5)


Implement a malware incident response process that quickly detects, contains,
eradicates, and recovers malware infected hosts; and

6)



Considering that the above recommendations might mitigate 80% of the risk to
GIAC Enterprises, the remaining 2
0% is where the real challenge lies. With this
in mind, advanced technology such as virtual inspection of executable malware
and inspection engines that monitor malware infections in real

time and identify
and block communication from compromised systems
to attackers command and
control servers are needed
.



Recognizing

the importance of the GIAC Enterprises cookie sayings, a technology
needs to be recommended to compensate for the deficiencies just mentioned.

In
particular, how can one dete
ct and pre
vent zero
-
day attacks?

Is there a way to
monitor
both inbound and outbound traffic to detect command and control sessions?
One
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

32


commercial example
of
such technology is

FireEye
,
which

recently shared its five key
principles to designing an effective networ
k
-
based defense. The
five

key principals
which GIAC Enterprises will focus on
are (FireEye, p. 5):

1)

Dynamic defenses to stop targeted, zero
-
day attacks
;

2)

Real
-
time protection to block data exfiltration attempts
;

3)

Integrated inbound and outbound filtering acr
oss protocols
;

4)

Accurate, low false positive rates
; and

5)

Global intelligence on advanced threats to protect the local network
.



They
ha
ve

developed next
-
generation protection against stealth malware to
prevent data loss and intellectual property theft.

A diagram depicting this technology is
included below (FireEye, pp. 6
-
8):




Another example of a commercial solution
sensor
is provided by Damballa
Failsafe (Damballa

Failsafe
, 2011).

It fulfills GIAC Enterprises


goal of monitoring
malware infections
in real

time by monitoring DNS, egress and proxy traffic
,

and utilize
multi
-
dimensional deep
-
packet inspection engines to correlate suspicious behaviors to
rapidly identify and isolate a breach by blocking the communication from compromised
endpoints to cr
iminal C&C servers. The followin
g diagram depicts this approach:


Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

33




This section helps to automate sub
-
controls 5.1,
5
.2,
5
.3,
5
.
5
,
5
.
6, 5.7
,

5.8
,

and
5
.
9

(CAG, 2011, pp. 2
6
-
2
7
).



7
. Recommended

Risk
-
based

Action Plan

Clearly APTs pose significant risks

to GIAC Enterprises and other organization
s
.
This has led the Chief Legal Officer (CLO), and Chief Information Officer (CIO) for
GIAC Enterprises to express concern
, since the organization has a responsibility to do
what is reasonable and prudent to prote
ct the stakeholders
.

Therefore, a special team has
been assigned the task of analyzing requirements,
and
surveying available security
standards and
guidelines

such as ISO, NIST, the 20 Critical Controls
, and the Australian
DSD

35

mitigating strategies
.
A
pp
ropriate research has
also
been conducted
, and the
relationship between the various frameworks has been mapped out. In addition,
automation approaches have been developed for the most pressing controls from the point
of view of the assigned team. One of t
he results of this research is a risk
-
based action
plan for GIAC Enterprises to follow. The objective of this plan is to give tailored security
guidance advice. The recommended plan is based on
the action plan laid out at the end of
the 20 Critical Control
s



Consensus Audit Guidelines

(
CAG, 2011
, p. 69)
, augmented
with steps the team believes is essential for the organization’s specific requirements.
Implementing all the 20 Critical Controls
to the “advanced controls” level can take
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

34


multiple years. T
o quic
kly mitigate risk, the team believes that once the “Quick Wins”
are implemented for the 20 Critical Controls, the focus should be on implementing
controls
4
,
5
, 1
5
, 1
7

right away.


Action Plan:

1)

Conduct a gap assessment to compare the organization’s curren
t security stance to
the detailed recommendations of the critical controls
;

2)

Implement the “quick win” critical controls to address the gaps identified by the
assessment over the next one or two quarters
;

3)

I
mplement critical controls number
s

4

and

5
. Leverag
e the suggested
automation
approaches

included in this research
. Reaching the “advanced controls” level is
preferred, but not necessary
;

4)

I
mplement critical controls numbers
15

and

1
7
. Leverage the suggested
automation approaches

included in this research
.
Reaching the “advanced
controls” level is preferred, but not necessary
;

5)

Assign security personnel to analyze and understand how the remaining critical
controls beyond quick wins, and controls:
4
,
5
, 1
5
, 1
7

can be deployed
;

6)

For remaining controls, d
evise de
tailed plans to implement the “visibility and
attribution” and “hardened configuration and impro
ved information security
hygien
e”

over the next year
; and

7)

Plan for the deployment of the “advanced controls” over the longer term
, giving
priority to controls:
4
,
5
, 1
5
, and 1
7
.

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

35


8
. References

Alperovitch, D. et al (2011, August 2). Revealed: Operation Shady Rat. Retrieved from
http://blogs.mcafee.com/mcafee
-
labs/revealed
-
operatio
n
-
shady
-
rat

Andress, J. (2011). Advanced Persistent Threat.
ISSA Journal, 2011
(June), 18
-
24.
Retrieved from
https://www.issa.org/images/upload/files/Andr
ess
-
Advanced%20Persistent%20Threat.pdf

Baseline Standard of Due Care for Cybersecurity (2009, February, 23). U.S. Federal
Cybersecurity Experts Name Top 20 Controls. Retrieved December 22, 2011,
from http://
http://www.gilligangroupinc.com/headlines/2009/feb
-
23
-
related/20090223
-
cag
-
press
-
release
-
pdf.html

Binde, B. et al (2011, May 22). Assessing outbound traffic to uncover advanced
persisten
t threat. Retrieved from
http://www.sans.edu/student
-
files/projects/JWP
-
Binde
-
McRee
-
OConnor.pdf

Bitpipe.com (2011, September 22). Advanced Persistent Threat: Are You
the Next
Target? [White paper sponsored by Imperva]. Retrieved December 14, 2011,
from
http://www.bitpipe.com/detail/RES/1316630992_836.html?asrc=RSS_BP_TERM

Command Pa
rty Five Ltd. (2011, September 01). SK Hack by an Advanced Persistent
Threat. Retrieved from
http://www.commandfive.com/papers/C5_APT_SKHack.pdf

Consensus Audit Guidelines

(CAG)

Version

3.1 (2011, October 03). Twenty Critical
Security Controls for Effective Cyber Defense: Consensus Audit Guidelines
(CAG). Retrieved December 23, 2011 from
http://www.sans.org/cr
itical
-
security
-
controls/cag3_1.pdf

Continuity Central


The international business continuity information portal. (2012,
January, 13). Twenty critical controls for effective cyber defen
s
e (U.K. Centre
for the Protection of National Infrastructure). Web
site retrieved January 14, 2012,
from
http://continuitycentral.com/news06099.html

Coviello, A. (2011, March 18). Open Letter to RSA Customers. Retrieved December 22,
2011, from RSA.com:
http://www.rsa.com/node.aspx?id=3872


Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

36


Damballa. (2011). Advanced Malware. Retrieved January 2, 2012, from
http://www.damballa.com/cyber
-
threats/advanced_malware.php

Damballa Failsafe. (2011). Damballa Failsafe 5.0 Demo. Retrieved January 2, 2012,
from
http://www.damballa.com/solutions/damballa
-
failsafe
-
demo.php?mkt_tok=3RkMMJWWfF9wsRokuKzPZKXonjHpfsX66OUkXaeg384
31UFwdcjKPmjr1YEIT9QhcOuuEwcWGog8xA1VGOGZcIE%3D

darkReading.com (2011, December 13). Tenable Network Sec
urity Offers Unique
Integration
W
ith Top Patch Management Solutions. Retrieved December 27,
2011, from
http://www.darkreding.com/taxonomy/index/printarticle/id/232300437

Da
usin, M. (2010, September 16). Top Cyber Security Risks 2010. Retrieved from
http://dvlabs.tippingpoint.com/blog/2010/09/16/top
-
syber
-
security
-
risks
-
2010
.

E
-
Gove
rnment Act of 2002. (2002, December 17). Public Law 107
-
347. Retrieved
December 21, 2011, from website:
http://frwebgate.access.gpo.
gov/cgi
-
bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf

FIPS

PUB

200. (2006, March 09). Federal Information Processing Standards 200


Announcing the Standard for Minimum Security Requirements for Federal
Information and Information Sy
stems. Website retrieved December 21, 2011,
from http://
http://csrc.nist.gov/publications/fips/fips200/FIPS
-
200
-
final
-
march.pdf


FireEye. (n.d.) 5 Design Principles f
or Advanced Malware Protection [White paper].
Retrieved December 27, 2011, from
http://docs.media.bitpipe.com/io_10x/io_100086/item_407114/FireEye
_5DesignP
rinciples_wp.pdf

FISMA Implementation Project. (
2009, June 12
). FISMA Implementation Project.
Website retrieved December 21, 2011, from

http://www.nist.gov/itl/csd/sma/fisma.cfm

Guido, D
. (2011, April 20) The Exploit Intelligence Project. Website retrieved January
28, 2012, from http://www.isecpartners.com/presentations/the
-
exploit
-
intelligence
-
project.html


Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

37


Gula, R., & Fennelly, C. (2011, November 16). Real
-
Time Auditing for SANS
Conse
nsus Audit Guidelines


Leveraging Asset
-
Based Configuration and
Vulnerability Analysis with Real
-
Time Event Management. Retrieved December
28, 2011 from
http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/uploads/docu
ments/whitepapers/tenable_SANS
-
CAG_compliance.pdf

InfoSecurity (2011, June 23). The Hype, and the Reality, Behind Advanced Persistent

Threats. Website retrieved December 27,

2011, from
http://www.infosecurity
-
magazine.com/view/18897/the
-
hype
-
and
-
the
-
reality
-
behind
-
advanced
-
persistent
-
threats/

Jackson, W. (2011, October, 03). NIST offers a how
-
to for must
-
do continuous
monitoring. Website retrieved January 5, 2012, from
http://gcn.com/Articles/2011/10/03/NIST
-
continuous
-
monitoring
-
security.aspx?Page=1

Kruse, P. (2011, September 27). This is how windows get infected by malware. Website
retrieved January 28, 2012, from http://www.csis.dk.en.csis/news/3321.

Lau, H. (2
011, August 04). The Truth Behind the Shady Rat [Web log message].
Retrieved from
http://www.symantec.com/connect/blogs/truth
-
behind
-
shady
-
rat

McClure, S. et al.

(2010
, March 03
). Protecting Your Critical Assets: Lessons Learned
from “Operation Aurora” [White paper]. Retrieved December 22, 2011, from
McAfee.com:
http://www.mcafee.
com/us/resources/white
-
papers/wp
-
protecting
-
critical
-
assets.pdf

Mell, P. et al. (2005, November 23).
Special Publication 800
-
83
-

Guide to Malware
Incident Prevention and Handling. Website retrieved January 30, 2012, from
http://csrc.nist.gov/publications/nistpubs/800
-
83/SP800
-
83.pdf

Parizo, E. (2012, January, 27). Time to ban dangerous apps? Exploring third
-
party app
security. Website retrieved January 27, 2012, from
http:
//searchsecurity.techtarget.com/opinion/Time
-
to
-
ban
-
dangerous
-
apps
-
Exploring
-
third
-
party
-
app
-
security?asrc=EM_NLN_16192387&track=NL
-
105&ad=860220&


Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

38


RSA Data Loss Prevention (DLP) Suite (2011, December 20). Retrieved from
http://www.rsa.com/node.aspx?id=3426

RSA Data Loss Prevention (DLP) Policy Workflow Manager (PWM) (2011, December
23). Retrieved from
http://www.rsa.com/product
s/DLP/ds/11436_DLPPWM_DS_0611.pdf

RSA Data Loss Prevention (DLP) Risk Remediation Manager (RRM) (2011, December
24)
.

Retrieved from
http://www.rsa.com/products/DLP/ds/11435_DLPRR
M_DS_0611.pdf

SANS Press Release. (2011, October 24). Australian Defen
c
e Signals Directorate wins
U.S. National Cybersecurity Innovation Award


Identifying and Implementing
the Four Key Controls That Stop the Spread of Targeted Cyber Intrusions.
Retrie
ved January 13, 2012, from
http://www.sans.org/press/australian
-
defence
-
signals
-
directorate
-
national
-
cybersecurity
-
award.php

Shook, S. et al.
(2011, February 10). Global Energy Cyberattacks: “Night Dragon”.
Retrieved from
http://www.mcafee.com/in/resources/white
-
papers/wp
-
global
-
ener
gy
-
cyberattacks
-
night
-
dragon.pdf

S
mith, M. (2011, February 27). NIST SP 800
-
53 Rev. 4 already in the works. Retrieved
December 22, 2011, from http://
http
://netlocksmith.blogspot.com/2011/02/nist
-
sp
-
800
-
53
-
rev
-
4
-
already
-
in
-
works.html

Sophos. (2011). Security threat report 2011 [White paper]. Retrieved from
http://www.sophos.com/medialibrary/Gated Assets/white
papers/sophossecuritythreatreport2011wpna.pdf

SP 800
-
137. (2011, September). NIST Special Publication 800
-
137


Information
Security Continuous Monitoring (ISCM) for Federal Informat
ion Systems and
Organizations. Website retrieved January 5, 2012, from
http://csrc.nist.gov/publications/nistpubs/800
-
137/SP800
-
137
-
Final.pdf

SP 800
-
53 Revision 3. (201
0, May 01). NIST Special Publication 800
-
53 Revision 3


Recommended Security Controls for Federal Information Systems and
Organizations. Website retrieved December 21, 2011, from
http://csrc.nist.gov/publications/nistpubs/800
-
53
-
Rev3/sp800
-
53
-
rev3
-
final_updated
-
errata_05
-
01
-
2010.pdf
.

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

39


Tipon, H. & Krause, M. (2007).
Information security management handbook, sixth
edition
. [Books24x7 vers
ion] Available from
http://common.books24x7.com/toc.aspx?bookid=26438

Walder, B. (2010, November 29). Advanced Evasion Technologies: Weapon of Mass
Destruction or Absolute Dud?. Retrieved
December 29, 2011 from
http://www.stonesoft.com/export/download/partner_mat/advanced_evasion_techn
iques__209087.pdf






Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

40


9
.
APPENDIX



Appendix A
:

FIPS PUB 200
-

Specifications for Minimum
Security Requirements


Specifications

Description

Access Control (AC)

Organizations must limit information system
access to authorized users, processes acting on
behalf of authorized users, or devices (includi
ng
other information systems) and to the types of
transactions and functions that authorized users
are permitted to exercise.

Awareness and Training (AT)

Organizations must: (i) ensure that managers
and users of organizational information systems
are made

aware of the security risks associated
with their activities and of the applicable laws,
Executive Orders, directives, policies,
standards, instructions, regulations, or
procedures related to the security of
organizational information systems; and (ii)
en
sure that organizational personnel are
adequately trained to carry out their assigned
information security
-
related duties and
responsibilities.

Audit and Accountability (AU)

Organizations must: (i) create, protect, and
retain information system audit reco
rds to the
extent needed to enable the monitoring,
analysis, investigation, and reporting of
unlawful, unauthorized, or inappropriate
information system activity; and (ii) ensure that
the actions of individual information system
users can be uniquely trace
d to those users so
they can be held accountable for their actions.

Certification, Accreditation, and
Security Assessments (CA)

Organizations must: (i) periodically assess the
security controls in organizational information
systems to determine if the co
ntrols are
effective in their application; (ii) develop and
implement plans of action designed to correct
deficiencies and reduce or eliminate
vulnerabilities in organizational information
systems; (iii) authorize the operation of
organizational informatio
n systems and any
associated information system connections; and
Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

41


(iv) monitor information system security
controls on an ongoing basis to ensure the
continued effectiveness of the controls.

Configuration Management (CM)

Organizations must: (i) establish a
nd maintain
baseline configurations and inventories of
organizational information systems (including
hardware, software, firmware, and
documentation) throughout the respective
system development life cycles; and (ii)
establish and enforce security configur
ation
settings for information technology products
employed in organizational information
systems.

Contingency Planning (CP)

Organizations must establish, maintain, and
effectively implement plans for emergency
response, backup operations, and post
-
disast
er
recovery for organizational information systems
to ensure the availability of critical information
resources and continuity of operations in
emergency situations.

Identification and Authentication
(IA)

Organizations must identify information system
use
rs, processes acting on behalf of users, or
devices and authenticate (or verify) the
identities of those users, processes, or devices,
as a prerequisite to allowing access to
organizational information systems.

Incident Response (IR)

Organizations must: (
i) establish an operational
incident handling capability for organizational
information systems that includes adequate
preparation, detection, analysis, containment,
recovery, and user response activities; and (ii)
track, document, and report incidents to
appropriate organizational officials and/or
authorities.

Maintenance (MA)

Organizations must: (i) perform periodic and
timely maintenance on organizational
information systems; and (ii) provide effective
controls on the tools, techniques, mechanisms,
and
personnel used to conduct information
system maintenance.

Media Protection (MP)

Organizations must: (i) protect information
system media, both paper and digital; (ii) limit
access to information on information system
media to authorized users; and (iii) s
anitize or
destroy information system media before
disposal or release for reuse.

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

42


Physical and Environmental
Protection (PE)

Organizations must: (i) limit physical access to
information systems, equipment, and the
respective operating environments to auth
orized
individuals; (ii) protect the physical plant and
support infrastructure for information systems;
(iii) provide supporting utilities for information
systems; (iv) protect information systems
against environmental hazards; and (v) provide
appropriate
environmental controls in facilities
containing information systems.

Planning (PL)

Organizations must develop, document,
periodically update, and implement security
plans for organizational information systems
that describe the security controls in place
or
planned for the information systems and the
rules of behavior for individuals accessing the
information systems.

Personnel Security (PS)

Organizations must: (i) ensure that individuals
occupying positions of responsibility within
organizations (includi
ng third
-
party service
providers) are trustworthy and meet established
security criteria for those positions; (ii) ensure
that organizational information and information
systems are protected during and after personnel
actions such as terminations and tran
sfers; and
(iii) employ formal sanctions for personnel
failing to comply with organizational security
policies and procedures.


Risk Assessment (RA)

Organizations must periodically assess the risk
to organizational operations (including mission,
functions
, image, or reputation), organizational
assets, and individuals, resulting from the
operation of organizational information systems
and the associated processing, storage, or
transmission of organizational information.

System and Services Acquisition
(SA)

Organizations must: (i) allocate sufficient
resources to adequately protect organizational
information systems; (ii) employ system
development life cycle processes that
incorporate information security considerations;
(iii) employ software usage and insta
llation
restrictions; and (iv) ensure that third
-
party
providers employ adequate security measures to
protect information, applications, and/or
services outsourced from the organization.

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

43


System and Communications
Protection (SC)

Organizations must: (i) mo
nitor, control, and
protect organizational communications (i.e.,
information transmitted or received by
organizational information systems) at the
external boundaries and key internal boundaries
of the information systems; and (ii) employ
architectural des
igns, software development
techniques, and systems engineering principles
that promote effective information security
within organizational information systems.

System and Information Integrity
(SI)

Organizations must: (i) identify, report, and
correct in
formation and information system
flaws in a timely manner; (ii) provide protection
from malicious code at appropriate locations
within organizational information systems; and
(iii) monitor information system security alerts
and advisories and take appropri
ate actions in
response.


Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

44


Appendix
B
: Mapping between the 20 Critical Security Controls
and National Institute of Standards and Technology Special
Publication 800
-
53, Revision 3, Priority 1 Items


Control

References

Critical Control 1: Inventory of

Au
thorized and Unauthorized Devices

CM
-
8 (a, c, d, 2, 3, 4), PM
-
5, PM
-
6

Critical Control 2: Inventory of

Authorized and Unauthorized Software


CM
-
1, CM
-
2 (2, 4, 5), CM
-
3, CM
-
5 (2, 7),
CM
-
7 (1, 2), CM
-
8 (1, 2, 3, 4, 6), CM
-
9,
PM
-
6, SA
-
6, SA
-
7

Critical Cont
rol 3: Secure

Configurations for Hardware and

Software

CM
-
1, CM
-
2 (1, 2), CM
-
3 (b, c, d, e, 2, 3),
CM
-
5 (2), CM
-
6 (1, 2, 4), CM
-
7 (1), SA
-
1
(a), SA
-
4 (5), SI
-
7 (3), PM
-
6

Critical Control 4: Continuous

Vulnerability Assessment and Remediation


RA
-
3 (a,
b, c, d), RA
-
5 (a, b, 1, 2, 5, 6)

Critical Control 5: Malware Defenses

SC
-
18, SC
-
26, SI
-
3 (a, b, 1, 2, 5, 6)

Critical Control 6: Application Software

Security

CM
-
7, RA
-
5 (a, 1), SA
-
3, SA
-
4 (3), SA
-
8,
SI
-
3, SI
-
10

Critical Control 7: Wireless Device

Con
trol

AC
-
17, AC
-
18 (1, 2, 3, 4), SC
-
9 (1), SC
-
24, SI
-
4 (14, 15)

Critical Control 8: Data Recovery

Capability

CP
-
9 (a, b, d, 1, 3), CP
-
10 (6)

Critical Control 9: Security Skills

Assessment and Appropriate Training to

Fill Gaps

AT
-
1, AT
-
2 (1), AT
-
3 (1)

Critical Control 10: Secure

Configurations for Network Devices

such as Firewalls, Routers, and Switches

AC
-
4 (7, 10, 11, 16), CM
-
1, CM
-
2 (1),
CM
-
3 (2), CM
-
5 (1, 2, 5), CM
-
6 (4), CM
-
7
(1, 3), IA
-
2 (1, 6), IA
-
5, IA
-
8, RA
-
5, SC
-
7
(2, 4, 5, 6, 8, 11, 13, 14,

18), SC
-
9

Critical Control 11: Limitation and

Control of Network Ports, Protocols, and

Services

CM
-
6 (a, b, d, 2, 3), CM
-
7 (1), SC
-
7 (4, 5,
11, 12)

Critical Control 12: Controlled Use of

Administrative Privileges

AC
-
6 (2, 5), AC
-
17 (3), AC
-
19, AU
-
2 (
4)

Critical Control 13: Boundary Defense

AC
-
17 (1), AC
-
20, CA
-
3, IA
-
2 (1, 2), IA
-
8,
RA
-
5, SC
-
7 (1, 2, 3, 8, 10, 11, 14), SC
-
18,
SI
-
4 (c, 1, 4, 5, 11), PM
-
7

Critical Control 14: Maintenance,

Monitoring, and Analysis of Security

Audit Log

AC
-
17 (1), AC
-
1
9, AU
-
2 (4), AU
-
3 (1,2),
AU
-
4, AU
-
5, AU
-
6 (a, 1, 5), AU
-
8, AU
-
9
(1, 2), AU
-
12 (2), SI
-
4 (8)

Critical Control 15: Controlled Access

Based on the Need to Know

AC
-
1, AC
-
2 (b, c), AC
-
3 (4), AC
-
4, AC
-
6,
MP
-
3, RA
-
2 (a)

Critical Control 16: Account Monitoring

and Control

AC
-
2 (e, f, g, h, j, 2, 3, 4, 5), AC
-
3

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

45


Critical Control 17: Data Loss

Prevention

AC
-
4, MP
-
2 (2), MP
-
4 (1), SC
-
7 (6, 10),
SC
-
9, SC
-
13, SC
-
28 (1), SI
-
4 (4, 11), PM
-
7

Critical Control 18: Incident Response

Capability

IR
-
1, IR
-
2 (1), IR
-
4, IR
-
5, IR
-
6 (a), IR
-
8

Critical Control 19: Secure Network

Engineering

IR
-
4 (2), SA
-
8, SC
-
7 (1, 13), SC
-
20, SC
-
21, SC
-
22, PM
-
7

Critical Control 20: Penetration Tests

and Red Team Exercises

CA
-
2 (1, 2), CA
-
7 (1, 2), RA
-
3, RA
-
5 (4,
9), SA
-
12 (7)


Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

46


Appendix C
: Mapping between the 20 Critical Security Controls
and the Australian Government Defence Signals
Directorate’s 35 Mitigation Strategies


Mitigation
Strategy
Effectiveness
Ranking

Mitigation Strategy

Matching
Top 20
Critical
Controls

1

Patch applications

(e.g., PDF viewer, Flash Player,
Microsoft Office and Java). Patch or mitigate within two
days for high
-
risk vulnerabilities. Use the latest version

of applications.

4.3

2

Patch operating system vulnerabilities. Patch or mitigate
within two days for high
-
risk vulnerabilities. Use the
latest operating system version.

4.3


3

Minimize the number of users with domain or local
administrative privileges. Such users should use a
separate unprivileged account for e
-
mail and web

browsing.

19.1, 19.6

4

Applicati
on white listing to help prevent malicious
software and other unapproved programs from running
(e.g., by using Microsoft Software Restriction Policies

or
AppLocker).

2.4

5

Host
-
based intrusion detection/prevention system to

identify anomalous behavior suc
h as process injection,
keystroke logging, driver loading, and call hooking.

8.1, 8.6

6

White
-
listed email content filtering allowing only
attachment types required for business functionality.
Preferably convert/sanitize PDF and Microsoft Office
attachmen
ts.

8.5

7

Block spoofed e
-
mails using sender policy framework
checking of incoming e
-
mails, and a “hard fail” SPF
record to help prevent spoofing of your organization’s
摯浡楮d

ㄲ⸵

8

User education (e.g., Internet threats and spear phishing
socially eng
ineered emails). Avoid weak pass phrases,
pass phrase re
-
use, exposing e
-
mail addresses,
unapproved USB devices.

19.1, 17.1,

17.2, 17.3,

17.4, 17.5

9

Web content filtering of incoming and outgoing traffic,
using signatures, reputation ratings, and other h
euristics,
and white listing allowed types of web

content.

12.1, 12.2,

12.3

10

Web domain white listing for all domains, since this
approach is more proactive and thorough than black
listing a tiny percentage of malicious domains.

12.1, 12.7

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

47


11

Web domai
n whitelisting for HTTPS/SSL domains, since
this approach is more proactive and thorough than black
listing a tiny percentage of malicious domains.

12.1, 12.7

12

Workstation inspection of Microsoft Office files for
abnormalities (e.g., using the Microsoft

Office File
Validation feature).

8.1, 8.6

13

Application
-
based workstation firewall, configured to
deny traffic by default, to protect against malicious or
otherwise unauthorized incoming network traffic.

3.3, 8.1, 5.1

14

Application
-
based workstation f
irewall, configured to
deny traffic by default, that white lists which applications
are allowed to generate outgoing network traffic.

3.3, 8.1, 8.8,

5.1

15

Network segmentation and segregation into security
zones to protect sensitive information and criti
cal
services such as user authentication and user directory

information.

10.8, 12.6,

20.4, 11.1,

11.5

16

Multi
-
factor authentication especially implemented for
when the user is about to perform a privileged action, or
access a database or other sensitive
information

repository.

10.6, 19.11

17

Randomized local administrator pass phrases that are
unique and complex for all computers. Use domain group
privileges instead of local administrator

accounts.


19.1, 19.7

18

Enforce a strong pass phrase policy cove
ring complexity
and length, and avoiding both pass phrase re
-
use and the
use of dictionary words.

19.1, 19.8,

13.7

19

Border gateway using an IPv6
-
capable firewall to
prevent computers from directly accessing the Internet
except via a split DNS server, an

e
-
mail server, or an
authenticated web proxy.

10.5, 12.7,

11.3

20

Data execution prevention using hardware and software
mechanisms for all software applications that support
DEP.

3.3

21

Anti
-
virus software with up
-
to
-
date signatures, reputation
ratings,

and other heuristic detection capabilities. Use
gateway and desktop anti
-
virus

software from different
vendors.

8.1, 8.2, 8.5,

8.6

22

Nonpersistent, virtualized trusted operating

environment
with limited access to network file shares, for risky
activitie
s such as reading e
-
mail and web

browsing.

2.6


23

Centralized and time
-
synchronized logging of allowed
and blocked network activity, with regular log analysis,

storing logs for at least 18 months.

7.1, 7.3, 7.5,

7.6,
7.7

24

Centralized and time
-
synchron
ized logging of successful
and failed computer events, with regular log analysis,
storing logs for at least 18 months.

7.1, 7.4, 7.5,

7.6

Automating Crosswalk between SP 800 and the 20 Critical Co
ntrols

48


25

Standard operating environment with unrequired
operating system functionality disabled (e.g., IPv6,
autorun and Re
mote Desktop). Harden file and registry

permissions.

3.1, 3.2, 3.3,

8.3

26

Workstation application security configuration hardening
(e.g., disable unrequired features in PDF viewers,
Microsoft Office applications, and web

browsers).

3.1, 3.2, 3.3

27

Rest
rict access to NetBIOS services running on
workstations and on servers where possible.

20.3, 20.4

28

Server application security configuration hardening (e.g.,
databases, web applications, customer relationship
management, and other data storage

systems).

3.1, 3.2, 3.3

29

Removable and portable media control as part of a data
loss prevention strategy, including storage, handling,
white listing allowed USB devices, encryption, and
destruction.

8.3, 8.4, 9.7,

9.8, 9.10

30

TLS encryption between e
-
mail serv
ers to help prevent
legitimate e
-
mails from being intercepted and used for
social engineering. Perform content scanning after email
traffic is decrypted.

20.4

31

Disable LanMan password support and cached
credentials on workstations and servers to make it

harder
for adversaries to crack password hashes.

3.1, 3.2, 3.3,

19.5

32

Block attempts to access websites by their IP address
instead of by their domain name.

12.1, 12.7

33

Network
-
based intrusion detection/prevention system

using signatures and heurist
ics to identify anomalous
traffic both internally and crossing network perimeter
boundaries.

12.2, 12.3


34

Gateway black listing to block access to known
malicious domains and IP addresses, including dynamic
and other domains provided free to anonymous I
nternet
users.

12.1


35

Full network traffic capture to perform post
-
incident
analysis of successful intrusions, storing network traffic

for at least the previous seven days.

12.4