Monitoring your organization against threats - Critical System Control
1 like1,183 views
The document discusses the importance of monitoring and controlling critical systems against various threats, emphasizing that obscurity is not a viable security strategy. It recommends continuous threat monitoring, the application of appropriate security controls, and the assessment of risks for isolated critical systems. The author highlights that in some cases, systems may remain unchanged for extended periods while still being compliant and secure, provided there are compensatory measures in place.
Monitoring your organization against threats - Critical System Control
- 1. S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 1 Monitoring your organization against threats Critical System Control Montreal, April 24, 2014 By Marc-Andre Heroux CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM Compliance & Security Advisor ll organizations are facing various types of threats. Threats can come from inside, outside your organization or from both. This article focus on monitoring informational resources against all types of threats threatening your critical functions supported by electronic assets such as servers, desktops, switches, routers, firewalls, etc. Today, some people think that keeping a system or a state hidden make a system more secure. Probably because of my own experiences and knowledge about Cyber Security, I see things little bit differently from many other experts. Over the last 17 years, I have implemented and conducted security assessments against many types of critical systems, and often connected to the Internet. Critical public systems such as DNS, Web, Mail, VPN using various types of authentication mechanisms such as saslauthd, oauth2, SAML, etc. against Oracle, MySQL, MS-SQL and using many types of technologies such as secure LDAP or SSL can be easily discovered by attackers. Why monitoring for potential threats? Simple: organizations are getting more and more interconnected and thinking that the obscurity can be considered as a security control is similar to me to ignoring the new reality of Interconnected Networks and the risk surrounding the Internet. As a security specialist I share the same approach as the Kerckhoffs's principlei , also formulated by Claude Shannon as the enemy knows the system and widely used by cryptographers as opposed to security by obscurity: “a critical system can be known and be secure”. For a critical system connected to the Internet, I recommend to keep it up-to-date (ex.: latest kernels, modules, etc.), continuously monitor against threats and abnormal activities and correct issues when detected by the implementation or the correction of a physical, operational, administrative or technical controls. I do also recommend to use application controls such as whitelisting and implement an IPS (if data flow are critical, IDS mode is usually preferable). For critical system not connected to the Internet or not connected to a network (no access in, no access out), my recommendations are different and vary in function of many elements. This article explain you what are the basics elements you may have to consider to choose the proper controls. Lock and monitor Most knowledgeable security specialists agree and understand that we “monitor” traffic for critical activities such as bank transactions, Programmable Logic Controller (PLC) and critical computers used by industrial organizations (e.g.: energy) with IDS and that we do not use IPS. It’s the same situation with the use of anti-malware technical controls on very critical isolated systems, it’s often preferable to have a system state unchanged and operationally functional and receive an alert regarding a potential suspicious activity or an alarm when abnormal activity is detected as opposed to block a system execution. Blocking valid activity could potentially generate a negative business impact while the control is A
- 2. S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 2 A u t h o r : M a r c - A n d r e H e r o u x Monitoring your organization against threats Critical System Control supposed to protect. This is one of the main reason why some very critical and isolated system are simply not running anti-malware, IPS or specific technical control against threats and rely on strict procedure and acceptable practices. We must remember that subnets must be segregated and if necessary, multi-level DMZ must be implemented and virtual routing and forwarding as well as 802.1Q tunneling must be used carefully. Conducting a risk assessment including a risk analysis and a business impact assessment allow to establish the proper orientation and select the proper controls. Such experts understand when it is preferable to use an IPS (often against Internet threats in TCP segments and never on against frames of internal networks when critical system are involved (e.g.: Ethernet II). This apply to all organizations conducting critical activities such as banks, energy, industrial, etc. Monitoring traffic is crucial and is often mandatory (e.g.: NERCii ). Filtering and blocking malicious traffics is often optional, but I usually suggest IPS to detect and block threats in incoming/outgoing traffics from boundaries of critical perimeters (e.g.: Internet to Intranet, Intranet to critical perimeter gateways), but never in electronic security perimeters (ESP) where blocking valid traffics could lead to various operational disaster scenarios. Real-time monitoring of firewalls and other security sensors is required to rapidly detect and initiate response to cyber incidents.iii Security and Compliance involve by default: exception, justification and compensatory measures. In all organizations, there are situations where it is considered more secured with reason to not apply any changes to a specific system (ex.: a HSM bank system remain usually unchanged, mainframes and Unix systems are other examples, especially in industrial organizations (ex.: in the energy sector, Technical Feasibility Exceptions (TFE) can justify the exemption of running a protective control such as an anti-malware or applying any update like system or firmware update, etc.). Security paradigm Despite it is usually considered unsecured to keep a system unchanged, as previously explained, it is sometimes the only way to keep it to an acceptable security posture considering the potential impacts of loss, especially when systems are isolated and very critical. In those situations, a justification (e.g.: ticket, derogation, statement of applicability, etc.) must be provided in order to document the reasons and duration of the exception in time. An organization can be compliant and secure while system are unchanged during a long period of time (e.g.: years) and it is important to understand this reality in large corporations conducting critical activities. Not all systems can remain secured while unchanged, usually systems isolated in restricted networks or not interconnected to a computer network are valid examples. This is where compensatory measures are especially important (e.g.: the Stuxnet virusiv was able to infect critical systems, particularly IDSIDS sensor
- 3. S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 3 A u t h o r : M a r c - A n d r e H e r o u x Monitoring your organization against threats Critical System Control because of a lack of procedures surrounding the acceptable uses of USB keys). The uses of USB keys against critical systems must be strictly controlled and ideally avoided. The use of an infected USB key could be very risky lead to disclosure and modification of information and in some cases, to system dis-functionality and disruption. It appears that good practices and appropriate procedures in the management of critical system permits to many organizations to remain safe against technical threats while monitoring abnormal activities. For critical system, we often suggest to apply controls to maintain a system unchanged and monitor it to abnormal behaviours or modifications. As opposed to general security practices suggesting regular systems updates, critical systems (ex: industrial, bank) must remain unchanged during a long period and be monitored for abnormal activities or behaviours. This approach: “controlling and monitoring” can be very effective. Technically, the most challenging aspects while controlling and monitoring activities, are selecting the proper i David Salomon, “Kerckhoffs's principle” Data Privacy and Security: Encryption and Information Hiding , 2003, ISBN 0-387-00311-8, P. 15,435. ii North American Electric Reliability Corporation (NERC) CIP-005-4 R3, Monitoring Electronic Access iii Keith Stouffer, Joe Falco, Karen Scarfone, National Institute controls (e.g.: McAfee Application Control, Tripwire, etc.), IDS location (e.g.: boundaries of perimeters) where the sensors send capture logs, the sensors emplacement and the type of traffic to monitor (e.g.: UDP, TCP, Ethernet II). Remember, monitoring local traffic is necessary to be able to detect layer 2 threats (e.g.: MAC Address attack). As already mentioned, in certain circumstances, especially for critical electronic assets, a machine can remain out of date (kernel, modules, etc.) and it can be justified, considered acceptable and secure based on the threats and vulnerabilities assessed. It’s important to remember that this concept is applicable to all organizations. Updating a system is not necessarily the option to consider while at other moment, change is the only acceptable way to remain secure. Finally, while often mandatory, monitoring against threats is a crucial security activity that all organizations can benefit. of Standards and Technology, Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82 P. 5-3. iv Katherine Hibbs Pherson, Randolph H Pherson, “PART V: CASE STUDIES” Critical Thinking For Strategic Intelligence, 2013, 1st ed., 978-1452226675 P. 240.