Security Framework from SANS

SANS CriticalSecurity Controls v6
Jeffrey Reed, integraONE Solutions Architect;CISSP #22390

- The SANS Institute was established in 1989 as a cooperative research and
education organization
- At the heart of SANS are the many security practitioners in varied global
organizations from corporations to universities working together to help the
entire information security community.

They were created by the people who know how attacks work -
NSA Red and Blue teams, the US Department of Energy nuclear
energy labs, law enforcement organizations and some of the
nation's top forensics and incident response organizations - to
answer the question, "what do we need to do to stop known
attacks."

CSC # 1: Inventory of Authorized and Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware devices on the
network so that only authorized devices are given access, and unauthorized and
unmanaged devices are found and prevented from gaining access.
• Deploy an automated asset inventory discovery tool
• Deploy dynamic host configuration protocol (DHCP) server logging
• Ensure that all equipment acquisitions automatically update the inventory
system
• Maintain an asset inventory of all systems connected to the network
• Deploy network level authentication via 802.1x
• Use client certificates to validate and authenticate systems

CSC # 2: Inventory of Authorized and Unauthorized Software
Actively manage (inventory, track, and correct) all software on the network so
that only authorized software is installed and can execute, and unauthorized and
unmanaged software is found and prevented from installation or execution
• Devise a list of authorized software and version that is required in the
enterprise
• Deploy application whitelisting technology
• Deploy software inventory tools throughout the organization
• Virtual machines should be used to run applications that are higher risk

CSC #3: Secure Configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers
Establish, implement, and actively manage (track, report on, and correct) the
security configuration of laptops, servers, and workstations using a rigorous
configuration management and change control process in order to prevent
attackers from exploiting vulnerable services and settings.
• Establish standard secure configurations of operating systems and software
applications
• Build a secure image that is used to build all new systems that are deployed in
the enterprise
• Store the master images on securely configured servers, validated with
integrity checking tools
• Perform all remote administration of servers, workstation, network devices,
and similar equipment over secure channels
• Use file integrity checking tools to ensure that critical system files have not
been altered
• Deploy system configuration management tools that will automatically enforce
and redeploy configuration settings

CSC #4: Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to
identify vulnerabilities, remediate, and minimize the window of opportunity for
attackers.
• Run automated vulnerability scanning tools against all systems on the network
on a weekly or more frequent basis
• Correlate event logs with information from vulnerability scans
• Perform vulnerability scanning in authenticated mode
• Subscribe to vulnerability intelligence services
• Deploy automated patch management tools and software update tools
• Monitor logs associated with any scanning activity and associated
administrator accounts
• Compare the results from back-to-back vulnerability scans to verify that
vulnerabilities were addressed
• Establish a process to risk-rate vulnerabilities based on the exploitability and
potential impact of the vulnerability

CSC #5: Controlled Use of Administrative Privileges
Track, control, prevent, and correct the use, assignment, and configuration of
administrative privileges on computers, networks, and applications.
• Minimize administrative privileges and only use administrative accounts when
they are required
• Use automated tools to inventory all administrative accounts
• Change all default passwords to have values consistent with administration-
level accounts
• Log and alert when an account is added or removed from a domain
administrators’ group, or when a new local administrator account is added on a
system.
• Configure systems to issue a log entry and alert on any unsuccessful login to an
administrative account.
• Use multi-factor authentication for all administrative access
• User accounts shall be required to use long passwords on the system
• Admins should access a system a non-admin account then transition to admin
privileges using tools such as Sudo on Linux/UNIX, RunAs on Windows, etc
• Administrators shall use a dedicated machine for all administrative tasks

CSC #6: Maintenance, Monitoring, and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect,
understand, or recover from an attack.
• Use two synchronized time sources for all servers and network equipment
• Validate audit log settings for each hardware device and the software installed
on it
• Ensure that all systems that store logs have adequate storage space for the logs
generated on a regular basis
• Run biweekly reports that identify anomalies in logs
• Configure network boundary devices to verbosely log all traffic arriving at the
device
• Deploy a SIEM (Security Information and Event Management) or log analytic
tools for log aggregation and consolidation

CSC #7: Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipulate
human behavior though their interaction with web browsers and e-mail systems.
• Ensure that only fully supported web browsers and email clients are allowed to
execute in the organization
• Uninstall or disable any unnecessary or unauthorized browser or email client
plugins or add-on applications
• Limit the use of unnecessary scripting languages in all web browsers and email
clients
• Log all URL requests from each of the organization's systems
• Deploy two separate browser configurations to each system
• Use network based URL filters that limit a system's ability to connect to
websites not approved by the organization
• implement the Sender Policy Framework (SPF) by deploying SPF records in DNS
• Scan and block all e-mail attachments entering the organization's e-mail
gateway if they contain malicious code

CSC #8: Malware Defenses
Control the installation, spread, and execution of malicious code at multiple points
in the enterprise, while optimizing the use of automation to enable rapid updating
of defense, data gathering, and corrective action.
• All malware detection events should be sent to enterprise anti-malware
administration tools and event log servers
• Employ anti-malware software that offers a centralized infrastructure
• Limit use of external devices to those with an approved, documented business
need
• Enable anti-exploitation features for increased protection
• Use network-based anti-malware tools to identify executables in all network
traffic
• Enable domain name system (DNS) query logging to detect hostname lookup
for known malicious C2 domains.

CSC #9: Limitation and Control of Network Ports, Protocols, and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols,
and services on networked devices in order to minimize windows of vulnerability
available to attackers.
• Ensure that only ports, protocols, and services with validated business needs
are running on each system.
• Apply host-based firewalls or port filtering tools on end systems
• Perform automated port scans on a regular basis against all key servers
• Move servers it to an internal VLAN if not required to be on the Internet
• Operate critical services on separate physical or logical host machines
• Place application firewalls in front of any critical servers

CSC #10: Data Recovery Capability
Properly back up critical information with a proven methodology for timely
recovery.
• Ensure that each system is automatically backed up on at least a weekly basis
• Test data on backup media on a regular basis
• Ensure that backups are properly protected via physical security or encryption
when they are stored
• Backup destination should not be addressable through operating system calls

CSC #11: Secure Configurations for Network Devices such as Firewalls, Routers,
and Switches
Establish, implement, and actively manage (track, report on, correct) the security
configuration of network infrastructure devices using a rigorous configuration
management and change control process in order to prevent attackers from
exploiting vulnerable services and settings.
• Compare firewall, router, and switch configuration against standard secure
configurations
• Custom configuration rules should be documented and recorded in a
configuration management system
• Use automated tools to verify standard device configurations and detect
changes
• Manage network devices using two-factor authentication and encrypted
sessions.
• Install the latest stable version of any security-related updates on all network
devices.
• Use a dedicated machine for all administrative tasks or tasks requiring elevated
access
• Manage the network infrastructure on separate VLANs

CSC #12: Boundary Defense
Detect/prevent/correct the flow of information transferring networks of different
trust levels with a focus on security-damaging data.
• Deny communications with known malicious IP addresses
• On DMZ networks monitoring at least packet header information and send to a
SIEM
• Deploy network-based IDS sensors on Internet and extranet DMZ systems
• Network-based IPS devices should be deployed to complement IDS
• All outgoing network traffic to the Internet must pass through at least one
application layer filtering proxy server
• Require all remote login access to use two-factor authentication.
• All enterprise devices remotely logging into the internal network should be
managed by the enterprise
• Periodically scan for back-channel connections to the Internet that bypass the
DMZ
• Analysis DMZ network flows to detect anomalous activity.
• Configure firewall session tracking mechanisms to identify TCP sessions that
last an unusually long time

CSC #13: Data Protection
Prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the
privacy and integrity of sensitive information.
• Perform an assessment of data to identify sensitive information
• Deploy approved hard drive encryption software
• Deploy an automated tool on network perimeters that monitors for sensitive
information
• Conduct scans of servers to determine whether sensitive data is present on the
system in clear text
• Configure systems so that they will not write data to USB tokens or USB hard
drives
• Use network-based DLP solutions to monitor and control the flow of data
within the network
• Monitor all traffic leaving the organization and detect any unauthorized use of
encryption
• Block access to known file transfer and e-mail exfiltration websites.
• Use host-based DLP when data is copied off a server

CSC #14: Controlled Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to
critical assets (e.g., information, resources, systems) according to the formal
determination of which persons, computers, and applications have a need and
right to access these critical assets based on an approved classification.
• Locate all sensitive information on separated VLANS
• All communication of sensitive information over less-trusted networks should
be encrypted
• Enable Private Virtual Local Area Networks (VLANs) for segmented workstation
networks
• Information stored on systems shall be protected with access control lists
• Sensitive information stored on systems shall be encrypted at rest
• Enforce detailed audit logging for access to nonpublic data
• Archived data or systems shall be removed from the organization's network

CSC #15: Wireless Access Control
Track, control, prevent, and correct the security use of wireless local area
networks (LANS), access points, and wireless client systems.
• Ensure that each wireless device matches an authorized configuration and
security profile
• Configure network vulnerability scanning tools to detect wireless access points
connected to the wired network
• Use wireless intrusion detection systems (WIDS) to identify rogue wireless
devices
• Configure wireless access to allow access only to authorized wireless networks
• Ensure that all wireless traffic leverages AES encryption
• Ensure that wireless networks use EAP/TLS
• Disable peer-to-peer wireless networks
• Disable wireless peripheral access of devices unless required
• Create separate virtual local area networks (VLANs) for BYOD systems or other
untrusted devices

CSC #16: Account Monitoring and Control
Actively manage the life-cycle of system and application accounts - their creation,
use, dormancy, deletion - in order to minimize opportunities for attackers to
leverage them.
• Disable any system account that cannot be associated with a business process and
owner
• Ensure that all accounts have an expiration date
• Revoke system access by disabling accounts immediately upon termination of an
employee or contractor
• Automatically log off users after a standard period of inactivity
• locks on systems to limit access to unattended workstations.
• Monitor account usage to determine dormant accounts
• Lockout accounts after a set number of failed login attempts
• Monitor attempts to access deactivated accounts
• Configure access for all accounts through a centralized point of authentication
• Profile user’s typical account usage
• Require multi-factor authentication for all user accounts that have access to sensitive
data or systems
• User accounts shall be required to use long passwords on the system
• Transmit usernames and authentication across networks using encrypted channels
• Verify that all authentication files are encrypted or hashed

CSC #17: Security Skills Assessment and Appropriate Training to Fill Gaps
Identify the specific knowledge, skills, and abilities needed to support defense of
the enterprise; develop and execute an integrated plan to assess, identify and
remediate gaps, through policy, organizational planning, training, and awareness
programs for all functional roles in the organization.
• Perform gap analysis to see which skills employees need
• Deliver training to fill the skills gap
• Implement an security awareness program
• Validate and improve awareness levels through periodic tests
• Use security skills assessments for each of the mission-critical roles to identify
skills gaps

CSC #18: Application Software Security
Make security an inherent attribute of the enterprise by specifying, designing, and
building-in features that allow high confidence systems operations while denying
or minimizing opportunities for attackers.
• Check that the version of application software you are using is still supported
by the vendor
• Protect web applications by deploying web application firewalls (WAFs)
• Ensure that explicit error checking is performed and documented for all input
• Test in-house-developed and third-party-procured web applications for
common security weaknesses
• Do not display system error messages to end-users
• Maintain separate environments for production and nonproduction systems
• For applications that rely on a database, use standard hardening configuration
templates
• Ensure that all software development personnel receive training in writing
secure code
• Ensure that development artifacts are not included in the deployed software

CSC #19: Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing
and implementing an incident response infrastructure (e.g., plans, defined roles,
training, communications, management oversight).
• Ensure that there are written incident response procedures
• Assign job titles and duties for handling incidents to specific individuals.
• Define management personnel who will support the incident handling process
• Devise organization-wide standards for the time required for system
administrators and other personnel to report anomalous events
• Assemble and maintain information on third-party contact information to be
used to report a security incident
• Publish information for all personnel regarding reporting computer anomalies
and incidents to the incident handling team
• Conduct periodic incident scenario sessions for personnel associated with the
incident handling team

CSC #20: Penetration Tests and Red Team Exercises
Test the overall strength of an organization's defenses (the technology, the
processes, and the people) by simulating the objectives and actions of an attacker.
• Conduct regular external and internal penetration tests to identify
vulnerabilities and attack vectors
• Any user or system accounts used to perform penetration testing should be
controlled and monitored
• Perform periodic Red Team exercises to test organizational readiness
• Include tests for the presence of unprotected system information and artifacts
that would be useful to attackers
• Plan clear goals of the penetration test itself
• Use vulnerability scanning and penetration testing tools in concert
• Ensure that Red Teams results are documented using open, machine-readable
standards
• Create a test bed that mimics a production environment for specific
penetration tests

Security Framework from SANS

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Security Framework from SANS (20)

Recently uploaded (20)

Security Framework from SANS