Você está na página 1de 2

Free Sponsored

Whitepapers 20 Critical Security Controls

On April 21, 2010, the U.S. National Cyber Security Coordinator, Howard Schmidt, and the U.S. Chief Information Officer, Vivek Kundra, announced a new set of rules for federal agencies and contractors subject to the Federal
Information Security Management Act. From that day forward, the agencies would be measured on how well they automated the monitoring and maintenance of the most important security controls. Because those controls are
critical to commercial companies as well as government agencies, the new policy will reshape how security is practiced. This poster provides a roadmap of the tools that automate the 20 most critical security controls.

Protection From the

www.coresecurity.com www.sourcefire.com
The 20 Critical Controls are the most effective processes that organizations use Under the auspices of the Center for Strategic and International Studies, John
Building a Web Application Strategies for Securing
to stop computer attackers from gaining entry to systems and networks, or to Gilligan (the former CIO of the U.S. Department of Energy and the U.S. Air
Security Program Virtualized Environments
mitigate damage from attackers who get in. The automation of these controls Force) brought together a consortium to identify the most likely and damaging
has radically lowered the cost of security while improving effectiveness.
Most Likely Attack Vectors ways systems could be attacked, and the highest priority controls that stop or
mitigate those attacks. Members of the consortium include NSA, US Cert, DoD
U.S. State Department Chief Information Security Officer,
Cyber Crime Center, and the top commercial forensic experts and pen testers
John Streufert, demonstrated more than 90 percent reduction 4) Secure Configurations for 5) Boundary Defense
6) Maintenance, serving the banking and critical infrastructure communities.
in measured security risk, across all U.S. embassies and all other Firewalls, Routers, and Switches Set boundaries consisting
www.insightix.com www.splunk.com State Department offices, through the automation, measurement, Deploy tools to evaluate network of firewalls, proxies, DMZ Monitoring, and Analysis
filtering devices and to search perimeter networks, and of Audit Logs
Insightix BSA Visibility: The Foundation Stone and monitoring of the majority of the Critical Controls. 7) Application Software Security
Splunk for Security for errors and unauthorized network-based Intrusion Activate logging features
for the 20 Critical Controls. of systems, networks, and Test internally developed
configuration changes. Prevention Systems. Test and third-party software with
3) Secure Configurations for firewalls; review.
Tool (Vendor): these defenses with automated analysis tools, or
Hardware and Software on Assure-Firewall Compliance Auditor & Network Tool (Vendor):
Laptops, Workstations, and Servers
vulnerability-scanning tools. Splunk by manual application security
Compliance Auditor (Skybox Security)
Tool (Vendor): Security Blanket (Trusted Computer Solutions)
Harden systems beyond a default Firewall Analyzer & FireFlow (AlgoSec) penetration testing. Attacks
Network Advisor (RedSeal) Network Advisor (RedSeal) Security Manager (Trustwave)
state with a series of images and should lead to automatically-
secure storage servers, and verify. Network Configuration Manager – (Solarwinds) Open Log Management (LogLogic)
generated alerts.
www.paloalto.com www.symantec.com Tool (Vendor): Tool (Vendor):
Tapping Unexpected Benefits of IPS + Next-Gen Addressing the Consensus Audit Guidelines (CAG) Retina & Blink (eEye Digital Security) Hailstorm (Cenzic)
Primary & IP360 (misconfigurations) Nessus & SecurityCenter (Tenable)
Firewall at Farm Credit Financial Partners via the Symantec Risk Automation Suite Nessus & SecurityCenter (Tenable) 5 8) Controlled Use of
2) Inventory of Authorized SecureFusion (Symantec)
Secondary (nCircle)
4 6 Administrative Privileges
and Unauthorized Software
Use commercial software and
CCM (FDCC) Monitor and track accounts
asset inventory tools to check 3 7 with superuser privileges.
Tool (Vendor):
for common applications and
Security Manager (Trustwave)
www.nubridges.com identify unauthorized programs.
Security Blanket
www.toplayersecurity.com Tool (Vendor): (Trusted Computer Solutions)
Best Practices in Encryption, Parity (Bit9)
Guide to Using Network IPS to
Key Management and Tokenization CounterAct (ForeScout Technologies)
Protect Against Next-Gen Cyber Threats CCM Primary & IP360 Secondary (nCircle) 2 8
Nessus & SecurityCenter (Tenable)
To get your free vendor-sponsored whitepaper, visit 9) Controlled Access
1) Inventory of Authorized
www.sans.org/tools.php and Unauthorized Devices
Based on Need to Know
Separate sensitive data
Know what is on the network, and block from less sensitive data,
unauthorized devices from connecting.
and control access to it.
Tool (Vendor):
Nessus & SecurityCenter
1 9 Tool (Vendor):
(ForeScout Technologies) (Tenable) CounterAct (ForeScout Technologies)
SecureFusion (Symantec) CCM Primary,
BSA Visibility (Insightix) IP360 Secondary
(nCircle) 10) Continuous Vulnerability
Assessment and Remediation
20) Security Skills Assessment and Deploy effective scanning tools
Appropriate Training to Fill Gaps that compare the results of a
Use assessments of employees
to identify when their security 20 10 scan with the previous scans to
determine changing vulnerabilities.
knowledge is insufficient
Tool (Vendor):
for their role, and provide
Skybox Secure Solution IP360 (nCircle)
appropriate training. (Skybox Security) Nexpose (Rapid 7)
(SANS Institute) SAINT & SAINTmanager (SAINT)
(Black Hat Briefings) CounterAct
(ForeScout Technologies)
Nessus (Tenable)
Retina (eEye Digital Security)
19) Data Recovery Capability 19 11
Deploy a robust, secure backup 11) Account Monitoring & Control
capability for important data, and Configure systems to record more
test a random sample of system detailed information about account

Security Roadmap
Where applicable, vendors are listed in (RED) below the control’s summary access, and utilize home-grown
backups on a regular basis.
to denote companies that have produced a tool to partly or fully automate an element of the scripts or third-party log analysis
critical security controls. In order to qualify for this distinction, vendors had to comply with the following requirements: tools to analyze information.
1) Turn in a written submission addressing how existing users of the tool employ it to automate part or all of a control.
SUMMER 2010 – 20TH EDITION 18 2) Supply contact information of an end-user from a major organization to attest and verify the tool’s capabilities. 12 Tool (Vendor):
18) Incident Response Security Blanket (Trusted Computer Solutions)
We verify that the client does use the tool to automate that control. Vendors are encouraged to apply, Security Manager (Trustwave)
and upon meeting the requirements will be added to to the ‘user vetted tools’ webpage at
Define detailed 12) Malware Defenses
incident response Use built-in administrative
procedures, and
engage in periodic 17 13 features of enterprise end-point
security suites to verify that

What Works in Implementing the

scenario-based training. antivirus, anti-spyware, and host-
based IDS/IPS features are active
16 14
20 Critical Security Controls
on every managed system.
17) Penetration Tests and 15 13) Limitation and Control Tool (Vendor):
Red Team Exercises of Network Ports, Blink (eEye Digital Security)
Mimic the actions of computer Protocols, and Services
AND attackers while defining a Configure systems to minimize
16) Secure Network 14) Wireless Device
clear scope and the rules of the attack surface of listening For more detailed
Engineering 15) Data Loss Prevention Control
SANS Cyber Attack Threat Map
engagement for penetration ports and protocols,
testing, applying findings to Apply sound security Utilize DLP solutions Run wireless scanning,
deploying host-based firewalls information on the
architecture principles in to look for exfiltration detection, and
# Fully-Automated Control help improve security. to bolster defenses. 20 Critical Security Controls
Tool (Vendor):
designing the layout and attempts and to detect discovery tools, and
configuration of routers, other suspicious activities wireless Intrusion
Tool (Vendor): visit its interactive Web page at
CORE IMPACT Pro (Core Security Technologies) CCM (nCircle)
switches, significant servers, associated with a Detection Systems. www.sans.org/critical-security-
# Non-Automated Control firewalls, security components protected network. Tool (Vendor):
www.sans.org/whatworks controls/interactive.php
and groups of client machines. Retina & Blink (eEye Digital Security)
Who are the attackers? What is their objective? What attack vector did they use? What target systems did What types of protection
Amateur computer hackers/criminals Theft of credit card data or financial credentials Widely used software with bugs, not adequately patched, they use to gain entry? could have stopped them?
to steal money or badly configured (passwords, unnecessary services)
Organized crime groups Desktops
Theft of personal information for identity theft DEFENSIVE WALL 1:
Well organized and professional, non-state actors These vulnerabilities lead to the following attacks: Laptops Proactive Software Assurance
(i.e. political activists and hackers possibly acting on Extortion based on fake malware detection
• Simple remote exploit PDAs • Source Code and Binary Code Testing Tools and Services
behalf of a foreign entity)
Alteration of data on Web pages or other “trusted (White Box Scanners)
• “Remote control” software (‘bots) Flash Media
Nation-states seeking competitive economic, financial, sources” for economic gain, or retribution or political
or political advantage purposes • Application Security Scanners (White Box Tools)
• Rootkits USB-enabled consumer devices, such as
Nation states seeking intelligence or military Political purposes/disrupting trusted communications digital picture frames, cameras, and media • Network-Based Threat Assessments
• Keystroke loggers
advantage players
Exploitation of end systems for remote control or spam • Host-Based Threat Assessments
• Information Disclosure (network/config details, etc)
Angry or unethical employees, contractors and Cell phones and smart phones
Exploitation of end systems for remote control for • Application Penetration Testing
consultants • Utility Malware
DDoS PBXs and telephony infrastructure
• Application Security Skills Assessment and Certification
Outsourced or subcontracted firms and/or employees • Command and Control Channels
Exploitation of end systems for remote control of Network devices
Unethical advertisers/commercial entities malware installation Vulnerabilities in custom-written applications for businesses or Wireless networks Blocking Attacks: Network Based
(i.e. spyware and adware providers) consumers, which lead to:
Theft of information for commercial purposes Firewalls • Intrusion Prevention (IPS) and Detection (IDS)
Theft of defense secrets for national interest • SQL injection
IDS/IPS equipment • Wireless Intrusion Prevention (WIPS)
The SANS Cyber Attack Threat Map illuminates the key Exploitation of computers for physical attack • Cross-Site Scripting
Routers • Network Behavior Analysis and Baselining
elements present in nearly every attack and offers a Persistent access for theft of timely information related • Cross-Site Request Forgery
Switches • Firewalls, Enterprise Antivirus, and Unified Threat Management
means to map the steps in successful attacks so that to economic, financial, or political purposes • Command Injection
DNS Servers • Secure Web Gateways
the best defensive approaches can be identified. Each Persistent access for theft of defense secrets for • Client-Side Attacks
national interest Mail Servers • Secure Messaging Gateways and Anti-Spam Tools
attack can be explained using a specific path through
Flawed protocols and weak network architectures allows the Web Servers
the map. As examples, we show how the Credit Card • Web Application Firewalls
following attacks to succeed:
Data and ACH Funds Transfer thefts (in blue), Advanced Database Servers • Managed Security Services
• Man-in-the-middle attacks
Persistent Threat infiltrations (in red), and Search Engine Card and Financial Data Theft VPNs
• Snooping/sniffing
Optimization scams (in green) were carried out. Advanced Persistent Threat
Appliances (e.g. smart printers) Blocking Attacks: Host Based
• Session hijacking
SANS thanks researchers Johannes Ullrich, Ed Skoudis, • Endpoint Security, including anti-virus, anti-spyware, personal
and Rob Lee for their contributions. Search Engine Optimization (SEO) • Lateral movement using compromised credentials firewall, host-based IPS, and related technologies
• Access to shared file servers and mail servers • Enterprise Forensic and Incident Response Capabilities
• Masquerade of legitimate users • Network Access Control
Top 9 Most Dangerous Attack Vectors Human curiosity or desire to be helpful, or carelessness allows
Upcoming SANS Training Events
Dates and locations are subject to change.
• System Integrity Checking Tools
the following attacks to succeed: www.sans.org • Configuration Hardening Tools
By Ed Skoudis, author of SANS Penetration Testing and Hacker Exploits Hands-On Courses
www.sans.org/training/description.php?mid=937 • Social engineering • Restricting Admin Account Usage
SANS Boston 2010
Search Engine Optimization (SEO) to Distribute Mass SQL Injection: For years, SQL injection attacks have focused on
• Spear phishing August 2 - 7, 2010 • Boston, MA DEFENSIVE WALL 4:
Malware: When a big news story breaks, computer extracting sensitive data from individual Web applications and a back- • Phishing Eliminating Security Vulnerabilities
attackers use SEO techniques to make sure links to their end database. Recently, attackers have ramped up SQL injection through SANS WhatWorks: Virtualization and Cloud • Network Discovery Tools
• Viruses
malicious Web pages appear near the top of popular automation software to exploit thousands of target Web applications at Computing Summit 2010
search engine rankings. That way, when unsuspecting a time. Instead of stealing data, these latest attacks focus on updating • IM messages with attachment or hyperlink to infecting site • Vulnerability Management
August 19 - 20, 2010 • Washington, DC
users look for a news story and click on the attacker’s link content in databases that will be displayed on Web sites. Today, bad guys
in the search results, the attacker’s Web site delivers back use SQL injection to update Web content with browser-hooking scripts • E-mail messages with attachment or hyperlink to infecting site • Network Penetration Testing and Ethical Hacking
an exploit for client software, infecting the machine. and client-side software exploits to infect client machines.
SANS Portland 2010
• Password disclosure • Patch and Security Configuration Management and Compliance
August 23 - 28, 2010 • Portland, OR
Third-Party Client-Side Software Exploits: As Targeting Administrative Interfaces: Most large-scale enterprise
systems, such as endpoint security suites, network administration tools, Improper physical security practices, lack of proper inventory DEFENSIVE WALL 5:
underlying operating systems have grown more secure,
controls, and lax data destruction practices lead to:
SANS Virginia Beach 2010 Safely Supporting Authorized Users
attackers are increasingly turning to exploits of third- ERP software, and even HVAC and electrical system management, are
Aug 29 - Sept 3, 2010 • Virginia Beach, VA
party software running on top of Windows, including configured via web-based administrative interfaces. As they hook • Identity and Access Management
browsers or exploit client-side software flaws, attackers are increasingly • Theft of computer systems and drives
office suites (Word, Excel, and PowerPoint), media players
(Real Player, iTunes, QuickTime), and especially document hunting for these administrator interfaces so that they can control the SANS Network Security 2010 • Mobile Data Protection and Storage Encryption
• Theft of laptops, PDAs, cell phones and smart phones
viewing tools such as Adobe Reader. Often, attackers associated infrastructure. September 19 - 27, 2010 • Las Vegas, NV
• Storage and Backup Encryption
wield these exploits on a zero-day basis, before a vendor • Temporary theft of laptops to grab a copy of its secrets, returning
Social Networking Sites for Information Leakage and Exploit the item before it has been noticed as missing • Content Monitoring tools
has released a patch for the vulnerable software. Distribution: Attackers are using very popular social networking sites, SANS WhatWorks: Legal Issues and PCI in
Spear Phishing: In this oldie-but-goodie attack, bad such as Facebook, LinkedIn, and Twitter, to gather sensitive information • Loss of tapes, disks, USB keys and other devices with sensitive data Information Security Summit 2010 • Data Leak Protection and Digital Rights Management
guys send highly targeted e-mail to specific people about enterprise operations and technologies shared by employees. September 27 - 28, 2010 • Las Vegas, NV
• Leaking confidential information to “dumpster divers” • Virtual Private Networks
in an enterprise in an attempt to coax a victim into Even worse, some attackers are distributing exploits and browser-
opening a malicious file attachment or surf to a website hooking scripts via social networking sites. • Leaking confidential information on machines/drives SANS Chicago 2010 DEFENSIVE WALL 6:
that delivers client-side exploits. The days of phishing that are donated or resold after being “end of lifed” October 25-31, 2010 • Chicago, IL Tools to Manage Security and Maximize Effectiveness
Windows Pass-the-Hash Attacks Incorporated into Attack Suites:
messages with clumsy grammar, preposterous scenarios, Attackers are using pass-the-hash techniques against Windows systems Failure to address backup/recovery issues and business • Log Management and Security Information and
and undifferentiated mailing lists of millions are waning. to bounce through domains across the enterprise, using stolen hashes continuity planning leads to: SANS San Antonio 2010 Event Management
Today’s most damaging spear phishing attempts are instead of passwords to authenticate. Pass-the-hash capabilities October 25-31, 2010 • San Antonio, TX
directed at corporate executives, with carefully crafted are now integrated into widely used computer attack tools such as • Media Sanitization and Mobile Device Recovery and Erasure
• Loss of critical data
realistic scenarios, and flawless grammar. Metasploit and Nmap, making them easier to use in mass exploitation
• Extended interruptions of service
SANS Tysons Corner Fall 2010 • Security Skills Development
Browser Hooking: By exploiting cross-site-scripting than ever.
October • Tysons Corner, VA
flaws on trusted Web sites, attackers post content that Hardware Hacking: As software defenses have improved and flexible • Loss of revenue and reputation • Security Awareness Training
contains malicious browser scripts. When a user accesses embedded devices such as cell phones, wireless routers, and smart • Failure to meet SLAs, financial penalties SANS WhatWorks: Incident Detection and • Host and Network Based Forensics Tools
the attacker’s content on the trusted site, its browser runs electric meters have proliferated, computer attackers are increasingly Log Management Summit 2010
these scripts, giving the attacker control of the browser turning to hardware hacking. Through bus sniffing, firmware attacks, • Physical harm to employees and contractors • Enterprise Forensics Tools
itself. Attackers then use these hooked browsers as a
December 8 - 9, 2010 • Washington, DC
clock glitching, and other fine-grained hardware manipulation, • Governance, Risk, and Compliance Management Tools
launch point to attack other systems, including internal attackers are bypassing security controls and extracting encryption
SANS CDI East 2010
network resources and servers of the enterprise with the
hooked browser.
keys useful in attacking the enterprise infrastructure that supports the
embedded device. For more information visit www.sans.org December 10 - 16, 2010 • Washington, DC
• Disaster Recovery and Business Continuity