1 / 32

Securing IT Systems with the Consensus Benchmarks and Scoring Tools Clint Kreitner

THE CENTER FOR. INTERNET SECURITY. SM. Securing IT Systems with the Consensus Benchmarks and Scoring Tools Clint Kreitner www.cisecurity.org ckreitner@cisecurity.org. Unfortunate, but true….

Download Presentation

Securing IT Systems with the Consensus Benchmarks and Scoring Tools Clint Kreitner

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. THE CENTER FOR INTERNETSECURITY SM Securing IT Systems with the Consensus Benchmarks and Scoring Tools Clint Kreitner www.cisecurity.org ckreitner@cisecurity.org

  2. Unfortunate, but true… “Through 2005, 90 percent of cyber attacks will continue to exploit known security flaws for which a patch is available or a preventive measure known.” • Gartner Group, May 6, 2002

  3. What is causing the vulnerabilities that are being exploited? • Software defects • Fixed with vendorpatches • Lack of technical security controls • Security settings made to enable or disable security features of the OS software • Think of them as software switches

  4. Examples of security settings • Password length, complexity • Account lockout after X attempts • Audit what system events? • Idle time before logoff • Users allowed to install print drivers? • What unneededservices to disable? • File system to use?

  5. Aren’t these standards adequate to improve user security practice? • ISO 17799 • COBIT from ISACA • SysTrust, WebTrust from AICPA • FISCAM from GAO • Principles and Practices for Security of IT Systems from NIST • Standard of Good Practice from ISF

  6. These standards are helpful, but incomplete • They describe “what” to do, but not “how” • These standards are effective only when accompanied by details on how to implement their requirements

  7. An Example from ISO 17799 9.7.1 Event logging Audit logs recording exceptions and other security-relevant events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. Audit logs should also include: a) user IDs; b) dates and times for log-on and log-off; c) terminal identity or location if possible; d) records of successful and rejected system access attempts; e) records of successful and rejected data and other resource access attempts.

  8. One of several actions needed to implement event logging on Sun Solaris systems: cat <<END_SCRIPT >/etc/init.d/newperf #!/sbin/sh /usr/bin/su sys -c \ "/usr/lib/sa/sadc /var/adm/sa/sa\`date +%d\`" END_SCRIPT chown root:sys /etc/init.d/newperf chmod 744 /etc/init.d/newperf rm -f /etc/rc2.d/S21perf ln -s /etc/init.d/newperf /etc/rc2.d/S21perf /usr/bin/su sys -c crontab <<END_ENTRIES 0,20,40 * * * * /usr/lib/sa/sa1 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A END_ENTRIES

  9. Why has it been so difficult to proliferate good security practice? • Vendors have been shipping unconfigured systems to users with technical security controls turned off • Users don’t know how to properly configure their systems • Users are afraid to disrupt operations • With patches or security settings

  10. Microsoft Issues Patches, but Users Don’t Apply Them Forrester Research Report April 3, 2003

  11. Responding to the challenge • Cosmos Club meeting Aug 2000 • Need to develop and proliferate detailed technical best practices • The only true solution is try to raise the bar everywhere--globally • Employ a consensus process to define best practices that is driven by security savvy users from the public and private sectors

  12. The Center for Internet Security (CIS) • Formed in October 2000 • Modeled after other community initiatives, e.g., transportation safety • A not-for-profit consortium of users • Convenes and facilitates teams that build consensus benchmarks

  13. Government: Nat’l Inst Stds & Tech. Infocomm DevelopmentAuthority of Singapore Naval Surface Warfare Center US Treasury Financial Management Service Washington State Dept. of Health Defense Info Sys Agency (DISA) Federal Reserve System NASA US Dept of Justice Library of Congress Royal Canadian Mounted Police Communications Security Establishment (Canada) Canadian CERT NSA GSA FedCIRC Dept Homeland Security State of Maryland Some of the participants in the consensus effort:

  14. Commercial: Eastman Kodak SASKTel LG&E Energy Hallmark Intel Deutsche Telecom Caterpillar Baylor College of Medicine NCR Batelle U.S. Central Credit Union VISA Thomson Holdings Pitney Bowes First Union Corporation Intuit Union Bank of California Swiss Reinsurance Co Elemica Online Resources Agilent Technologies Shell Info. Tech. Int’l PeopleSoft News Corporation Participants (cont’d):

  15. Consulting/Service: IBM Business Consulting Grant Thornton Deloitte Touche ISS Symantec BindView NetIQ SecureNet Solutions RDA Corp More (cont’d): • CSC • Procinct Security • Solutionary • Polivec • Mobile Automation • ConfigureSoft • GFM Consulting

  16. Universities: Institute for Security Tech. Studies at Dartmouth Virginia Tech Monash University (Australia) Illinois Institute of Technology University of Missouri William & Mary Utah State University University of California, SF New York University More (cont’d):

  17. Auditing Participants • Information Systems Audit and Control Association (ISACA) • American Institute of Certified Public Accountants (AICPA) • Institute of Internal Auditors (IIA)

  18. What has this public/private partnership produced so far?

  19. Currently available: • Level I Configuration Benchmarks • Solaris • Linux • HP-UX • Windows NT • Windows 2000 • Cisco Router IOS

  20. A Level I Benchmark: • Can be implemented by a sysadmin of any level of security expertise • Can be monitored by a compliance tool • Is not likely to “break” any function • Represents a baseline level of security

  21. Currently available: • Gold Standard Benchmarks • W2K Professional Level II • W2K Server Level II • CISCO Router IOS Level I/II • Solaris Level I

  22. Also currently available: • Configuration Scoring Tools • Solaris • Linux • HP-UX • Windows NT • Windows 2000 Server • Windows 2000 Professional • Cisco Router IOS

  23. Under development: • Benchmarks and Scoring Tools for: • Oracle databases • Apache • Windows IIS • Windows XP • Windows Server 2003 • Catalyst Switches • PIX Firewalls • Check Point FW-1 • SQL Server • Juniper Routers

  24. How is this work being done? • Teams are formed with security experts from member organisations • An initial benchmark draft is obtained or developed • Consensus is established via email and conference call discussion • A scoring tool is developed • They are made available free to all users globally via the CIS website (www.cisecurity.org)

  25. The good news… Case studies show that 80-90% of known vulnerabilities are blocked by the security settings in the consensus benchmarks…….

  26. Case Study Methodology • (1) Scan a system “out of the box” and list identified vulnerabilities • (2) Configure the system with the appropriate benchmark • (3) Rescan the system and note the vulnerabilities remaining

  27. Vulnerability Assessment Case studies

  28. Encouraging progress: • U.S. government promulgation of CIS benchmarks and tools via FedCIRC • VISA adoption of CIS benchmarks for its Cardholder Information Security Program’s Digital Dozen • Progress at the vendor level • Dell now delivering pre-configured systems • Top security experts from Microsoft, Sun, HP, Cisco, and Oracle are active on the benchmark consensus teams

  29. Benefits of using benchmarks and tools • Substantially reduce the risk of unauthorized intrusion • Following a recognized patching and configuration standard demonstrates due care against legal liability • Provides a basis for ongoing measurement and reporting of security status to management

  30. Recommended policies: • Use govt purchasing power to buy only benchmark configured systems from vendors • Encourage corporate and other institutional buyers to do the same • Establish benchmark compliance as an audit requirement • Encourage users in all sectors to download and use the consensus benchmarks and tools

  31. Thank you! ckreitner@cisecurity.org http://www.cisecurity.org

More Related