Free Sponsored
Whitepapers
www.coresecurity.com
Building a Web Application
Security Program
www.insightix.com
Insightix BSA Visibility: The Foundation Stone
for the 20 Critical Controls.
www.paloalto.com
Tapping Unexpected Benefits of IPS + Next-Gen
Firewall at Farm Credit Financial Partners
www.nubridges.com
Best Practices in Encryption,
Key Management and Tokenization
To get your free vendor-sponsored whitepaper, visit
www.sans.org/tools.php
THE MOST TRUSTED NAME FOR
INFORMATION AND SOFTWARE SECURITY
Security Roadmap
SUMMER 2010 – 20TH EDITION
What Works in Implementing the
20 Critical Security Controls
AND
SANS Cyber Attack Threat Map
www.sans.org/whatworks
www.sourcefire.com
Strategies for Securing
Virtualized Environments
www.splunk.com
Splunk for Security
www.symantec.com
Addressing the Consensus Audit Guidelines (CAG)
via the Symantec Risk Automation Suite
www.toplayersecurity.com
Guide to Using Network IPS to
Protect Against Next-Gen Cyber Threats
20 Critical Security Controls
On April 21, 2010, the U.S. National Cyber Security Coordinator, Howard Schmidt, and the U.S. Chief Information Officer, Vivek Kundra, announced a new set of rules for federal agencies and contractors subject to the Federal
Information Security Management Act. From that day forward, the agencies would be measured on how well they automated the monitoring and maintenance of the most important security controls. Because those controls are
critical to commercial companies as well as government agencies, the new policy will reshape how security is practiced. This poster provides a roadmap of the tools that automate the 20 most critical security controls.
Protection From the
The 20 Critical Controls are the most effective processes that organizations use Under the auspices of the Center for Strategic and International Studies, John
to stop computer attackers from gaining entry to systems and networks, or to Gilligan (the former CIO of the U.S. Department of Energy and the U.S. Air
mitigate damage from attackers who get in. The automation of these controls Force) brought together a consortium to identify the most likely and damaging
has radically lowered the cost of security while improving effectiveness.
Most Likely Attack Vectors ways systems could be attacked, and the highest priority controls that stop or
mitigate those attacks. Members of the consortium include NSA, US Cert, DoD
U.S. State Department Chief Information Security Officer,
Cyber Crime Center, and the top commercial forensic experts and pen testers
John Streufert, demonstrated more than 90 percent reduction 4) Secure Configurations for 5) Boundary Defense
6) Maintenance, serving the banking and critical infrastructure communities.
in measured security risk, across all U.S. embassies and all other Firewalls, Routers, and Switches Set boundaries consisting
State Department offices, through the automation, measurement, Deploy tools to evaluate network of firewalls, proxies, DMZ Monitoring, and Analysis
filtering devices and to search perimeter networks, and of Audit Logs
and monitoring of the majority of the Critical Controls. 7) Application Software Security
for errors and unauthorized network-based Intrusion Activate logging features
of systems, networks, and Test internally developed
configuration changes. Prevention Systems. Test and third-party software with
3) Secure Configurations for firewalls; review.
Tool (Vendor): these defenses with automated analysis tools, or
Hardware and Software on Assure-Firewall Compliance Auditor & Network Tool (Vendor):
Laptops, Workstations, and Servers
vulnerability-scanning tools. Splunk by manual application security
Compliance Auditor (Skybox Security)
Tool (Vendor): Security Blanket (Trusted Computer Solutions)
Harden systems beyond a default Firewall Analyzer & FireFlow (AlgoSec) penetration testing. Attacks
Network Advisor (RedSeal) Network Advisor (RedSeal) Security Manager (Trustwave)
state with a series of images and should lead to automatically-
secure storage servers, and verify. Network Configuration Manager – (Solarwinds) Open Log Management (LogLogic)
generated alerts.
Tool (Vendor): Tool (Vendor):
Retina & Blink (eEye Digital Security) Hailstorm (Cenzic)
Primary & IP360 (misconfigurations) Nessus & SecurityCenter (Tenable)
Nessus & SecurityCenter (Tenable) 5 8) Controlled Use of
2) Inventory of Authorized SecureFusion (Symantec)
Secondary (nCircle)
4 6 Administrative Privileges
and Unauthorized Software
Use commercial software and
CCM (FDCC) Monitor and track accounts
asset inventory tools to check 3 7 with superuser privileges.
Tool (Vendor):
for common applications and
Security Manager (Trustwave)
identify unauthorized programs.
Security Blanket
Tool (Vendor): (Trusted Computer Solutions)
Parity (Bit9)
CounterAct (ForeScout Technologies)
CCM Primary & IP360 Secondary (nCircle) 2 8
Nessus & SecurityCenter (Tenable)
9) Controlled Access
1) Inventory of Authorized
and Unauthorized Devices
Based on Need to Know
Separate sensitive data
Know what is on the network, and block from less sensitive data,
unauthorized devices from connecting.
and control access to it.
CounterAct
Tool (Vendor):
Nessus & SecurityCenter
1 9 Tool (Vendor):
(ForeScout Technologies) (Tenable) CounterAct (ForeScout Technologies)
SecureFusion (Symantec) CCM Primary,
BSA Visibility (Insightix) IP360 Secondary
(nCircle) 10) Continuous Vulnerability
Assessment and Remediation
20) Security Skills Assessment and Deploy effective scanning tools
Appropriate Training to Fill Gaps that compare the results of a
Use assessments of employees
to identify when their security 20 10 scan with the previous scans to
determine changing vulnerabilities.
knowledge is insufficient
Tool (Vendor):
for their role, and provide
Skybox Secure Solution IP360 (nCircle)
appropriate training. (Skybox Security) Nexpose (Rapid 7)
(SANS Institute) SAINT & SAINTmanager (SAINT)
QualysGuard (Qualys)
(Black Hat Briefings) CounterAct
SecureFusion (Symantec)
(ForeScout Technologies)
Nessus (Tenable)
Retina (eEye Digital Security)
19) Data Recovery Capability 19 11
Deploy a robust, secure backup 11) Account Monitoring & Control
capability for important data, and Configure systems to record more
test a random sample of system detailed information about account
Where applicable, vendors are listed in (RED) below the control’s summary access, and utilize home-grown
backups on a regular basis.
to denote companies that have produced a tool to partly or fully automate an element of the scripts or third-party log analysis
critical security controls. In order to qualify for this distinction, vendors had to comply with the following requirements: tools to analyze information.
1) Turn in a written submission addressing how existing users of the tool employ it to automate part or all of a control.
18 2) Supply contact information of an end-user from a major organization to attest and verify the tool’s capabilities. 12 Tool (Vendor):
18) Incident Response Security Blanket (Trusted Computer Solutions)
We verify that the client does use the tool to automate that control. Vendors are encouraged to apply, Security Manager (Trustwave)
Capability
and upon meeting the requirements will be added to to the ‘user vetted tools’ webpage at
Define detailed 12) Malware Defenses
www.sans.org/critical-security-controls/user-tools.php
incident response Use built-in administrative
procedures, and
engage in periodic 17 13 features of enterprise end-point
security suites to verify that
scenario-based training. antivirus, anti-spyware, and host-
based IDS/IPS features are active
16 14
on every managed system.
17) Penetration Tests and 15 13) Limitation and Control Tool (Vendor):
Red Team Exercises of Network Ports, Blink (eEye Digital Security)
Mimic the actions of computer Protocols, and Services
attackers while defining a Configure systems to minimize
16) Secure Network 14) Wireless Device
clear scope and the rules of the attack surface of listening For more detailed
Engineering 15) Data Loss Prevention Control
engagement for penetration ports and protocols,
testing, applying findings to Apply sound security Utilize DLP solutions Run wireless scanning,
deploying host-based firewalls information on the
architecture principles in to look for exfiltration detection, and
# Fully-Automated Control help improve security. to bolster defenses. 20 Critical Security Controls
Tool (Vendor):
designing the layout and attempts and to detect discovery tools, and
configuration of routers, other suspicious activities wireless Intrusion
Tool (Vendor): visit its interactive Web page at
CORE IMPACT Pro (Core Security Technologies) CCM (nCircle)
switches, significant servers, associated with a Detection Systems. www.sans.org/critical-security-
# Non-Automated Control firewalls, security components protected network. Tool (Vendor):
controls/interactive.php
and groups of client machines. Retina & Blink (eEye Digital Security)
 C Y B E R
Who are the attackers?
Amateur computer hackers/criminals
Organized crime groups
Well organized and professional, non-state actors
(i.e. political activists and hackers possibly acting on
behalf of a foreign entity)
Nation-states seeking competitive economic, financial,
or political advantage
Nation states seeking intelligence or military
advantage
Angry or unethical employees, contractors and
consultants
Outsourced or subcontracted firms and/or employees
Unethical advertisers/commercial entities
(i.e. spyware and adware providers)
The SANS Cyber Attack Threat Map illuminates the key
elements present in nearly every attack and offers a
means to map the steps in successful attacks so that
the best defensive approaches can be identified. Each
attack can be explained using a specific path through
the map. As examples, we show how the Credit Card
Data and ACH Funds Transfer thefts (in blue), Advanced
Persistent Threat infiltrations (in red), and Search Engine
Optimization scams (in green) were carried out.
SANS thanks researchers Johannes Ullrich, Ed Skoudis,
and Rob Lee for their contributions.
Top 9 Most Dangerous Attack Vectors
By Ed Skoudis, author of SANS Penetration Testing and Hacker Exploits Hands-On Courses
www.sans.org/training/description.php?mid=937
Search Engine Optimization (SEO) to Distribute
Malware: When a big news story breaks, computer
attackers use SEO techniques to make sure links to their
malicious Web pages appear near the top of popular
search engine rankings. That way, when unsuspecting
users look for a news story and click on the attacker’s link
in the search results, the attacker’s Web site delivers back
an exploit for client software, infecting the machine.
Third-Party Client-Side Software Exploits: As
underlying operating systems have grown more secure,
attackers are increasingly turning to exploits of third-
party software running on top of Windows, including
office suites (Word, Excel, and PowerPoint), media players
(Real Player, iTunes, QuickTime), and especially document
viewing tools such as Adobe Reader. Often, attackers
wield these exploits on a zero-day basis, before a vendor
has released a patch for the vulnerable software.
Spear Phishing: In this oldie-but-goodie attack, bad
guys send highly targeted e-mail to specific people
in an enterprise in an attempt to coax a victim into
opening a malicious file attachment or surf to a website
that delivers client-side exploits. The days of phishing
messages with clumsy grammar, preposterous scenarios,
and undifferentiated mailing lists of millions are waning.
Today’s most damaging spear phishing attempts are
directed at corporate executives, with carefully crafted
realistic scenarios, and flawless grammar.
Browser Hooking: By exploiting cross-site-scripting
flaws on trusted Web sites, attackers post content that
contains malicious browser scripts. When a user accesses
the attacker’s content on the trusted site, its browser runs
these scripts, giving the attacker control of the browser
itself. Attackers then use these hooked browsers as a
launch point to attack other systems, including internal
network resources and servers of the enterprise with the
hooked browser.
AT TA C K T H R E AT M A P
What is their objective? What attack vector did they use? What target systems did What types of protection
Theft of credit card data or financial credentials Widely used software with bugs, not adequately patched, they use to gain entry? could have stopped them?
to steal money or badly configured (passwords, unnecessary services)
Desktops
Theft of personal information for identity theft DEFENSIVE WALL 1:
These vulnerabilities lead to the following attacks: Laptops Proactive Software Assurance
Extortion based on fake malware detection
• Simple remote exploit PDAs • Source Code and Binary Code Testing Tools and Services
Alteration of data on Web pages or other “trusted (White Box Scanners)
• “Remote control” software (‘bots) Flash Media
sources” for economic gain, or retribution or political
purposes • Application Security Scanners (White Box Tools)
• Rootkits USB-enabled consumer devices, such as
Political purposes/disrupting trusted communications digital picture frames, cameras, and media • Network-Based Threat Assessments
• Keystroke loggers
players
Exploitation of end systems for remote control or spam • Host-Based Threat Assessments
• Information Disclosure (network/config details, etc)
Cell phones and smart phones
Exploitation of end systems for remote control for • Application Penetration Testing
• Utility Malware
DDoS PBXs and telephony infrastructure
• Application Security Skills Assessment and Certification
• Command and Control Channels
Exploitation of end systems for remote control of Network devices
DEFENSIVE WALL 2:
malware installation Vulnerabilities in custom-written applications for businesses or Wireless networks Blocking Attacks: Network Based
consumers, which lead to:
Theft of information for commercial purposes Firewalls • Intrusion Prevention (IPS) and Detection (IDS)
Theft of defense secrets for national interest • SQL injection
IDS/IPS equipment • Wireless Intrusion Prevention (WIPS)
Exploitation of computers for physical attack • Cross-Site Scripting
Routers • Network Behavior Analysis and Baselining
Persistent access for theft of timely information related • Cross-Site Request Forgery
Switches • Firewalls, Enterprise Antivirus, and Unified Threat Management
to economic, financial, or political purposes • Command Injection
DNS Servers • Secure Web Gateways
Persistent access for theft of defense secrets for • Client-Side Attacks
national interest Mail Servers • Secure Messaging Gateways and Anti-Spam Tools
Flawed protocols and weak network architectures allows the Web Servers
• Web Application Firewalls
following attacks to succeed:
Database Servers • Managed Security Services
• Man-in-the-middle attacks
Card and Financial Data Theft VPNs
DEFENSIVE WALL 3:
• Snooping/sniffing
Advanced Persistent Threat
Appliances (e.g. smart printers) Blocking Attacks: Host Based
• Session hijacking
• Endpoint Security, including anti-virus, anti-spyware, personal
Search Engine Optimization (SEO) • Lateral movement using compromised credentials firewall, host-based IPS, and related technologies
• Access to shared file servers and mail servers • Enterprise Forensic and Incident Response Capabilities
• Masquerade of legitimate users • Network Access Control
Human curiosity or desire to be helpful, or carelessness allows
Upcoming SANS Training Events
Dates and locations are subject to change.
• System Integrity Checking Tools
the following attacks to succeed: www.sans.org • Configuration Hardening Tools
• Social engineering • Restricting Admin Account Usage
SANS Boston 2010
Mass SQL Injection: For years, SQL injection attacks have focused on
• Spear phishing August 2 - 7, 2010 • Boston, MA DEFENSIVE WALL 4:
extracting sensitive data from individual Web applications and a back- • Phishing Eliminating Security Vulnerabilities
end database. Recently, attackers have ramped up SQL injection through SANS WhatWorks: Virtualization and Cloud • Network Discovery Tools
• Viruses
automation software to exploit thousands of target Web applications at Computing Summit 2010
a time. Instead of stealing data, these latest attacks focus on updating • IM messages with attachment or hyperlink to infecting site • Vulnerability Management
August 19 - 20, 2010 • Washington, DC
content in databases that will be displayed on Web sites. Today, bad guys
use SQL injection to update Web content with browser-hooking scripts • E-mail messages with attachment or hyperlink to infecting site • Network Penetration Testing and Ethical Hacking
and client-side software exploits to infect client machines.
SANS Portland 2010
• Password disclosure • Patch and Security Configuration Management and Compliance
August 23 - 28, 2010 • Portland, OR
Targeting Administrative Interfaces: Most large-scale enterprise
systems, such as endpoint security suites, network administration tools, Improper physical security practices, lack of proper inventory DEFENSIVE WALL 5:
controls, and lax data destruction practices lead to:
SANS Virginia Beach 2010 Safely Supporting Authorized Users
ERP software, and even HVAC and electrical system management, are
Aug 29 - Sept 3, 2010 • Virginia Beach, VA
configured via web-based administrative interfaces. As they hook • Identity and Access Management
browsers or exploit client-side software flaws, attackers are increasingly • Theft of computer systems and drives
hunting for these administrator interfaces so that they can control the SANS Network Security 2010 • Mobile Data Protection and Storage Encryption
• Theft of laptops, PDAs, cell phones and smart phones
associated infrastructure. September 19 - 27, 2010 • Las Vegas, NV
• Storage and Backup Encryption
• Temporary theft of laptops to grab a copy of its secrets, returning
Social Networking Sites for Information Leakage and Exploit the item before it has been noticed as missing • Content Monitoring tools
Distribution: Attackers are using very popular social networking sites, SANS WhatWorks: Legal Issues and PCI in
such as Facebook, LinkedIn, and Twitter, to gather sensitive information • Loss of tapes, disks, USB keys and other devices with sensitive data Information Security Summit 2010 • Data Leak Protection and Digital Rights Management
about enterprise operations and technologies shared by employees. September 27 - 28, 2010 • Las Vegas, NV
• Leaking confidential information to “dumpster divers” • Virtual Private Networks
Even worse, some attackers are distributing exploits and browser-
hooking scripts via social networking sites. • Leaking confidential information on machines/drives SANS Chicago 2010 DEFENSIVE WALL 6:
that are donated or resold after being “end of lifed” October 25-31, 2010 • Chicago, IL Tools to Manage Security and Maximize Effectiveness
Windows Pass-the-Hash Attacks Incorporated into Attack Suites:
Attackers are using pass-the-hash techniques against Windows systems Failure to address backup/recovery issues and business • Log Management and Security Information and
to bounce through domains across the enterprise, using stolen hashes continuity planning leads to: SANS San Antonio 2010 Event Management
instead of passwords to authenticate. Pass-the-hash capabilities October 25-31, 2010 • San Antonio, TX
are now integrated into widely used computer attack tools such as • Media Sanitization and Mobile Device Recovery and Erasure
• Loss of critical data
Metasploit and Nmap, making them easier to use in mass exploitation
• Extended interruptions of service
SANS Tysons Corner Fall 2010 • Security Skills Development
than ever.
October • Tysons Corner, VA
Hardware Hacking: As software defenses have improved and flexible • Loss of revenue and reputation • Security Awareness Training
embedded devices such as cell phones, wireless routers, and smart • Failure to meet SLAs, financial penalties SANS WhatWorks: Incident Detection and • Host and Network Based Forensics Tools
electric meters have proliferated, computer attackers are increasingly Log Management Summit 2010
turning to hardware hacking. Through bus sniffing, firmware attacks, • Physical harm to employees and contractors • Enterprise Forensics Tools
December 8 - 9, 2010 • Washington, DC
clock glitching, and other fine-grained hardware manipulation, • Governance, Risk, and Compliance Management Tools
attackers are bypassing security controls and extracting encryption
SANS CDI East 2010
keys useful in attacking the enterprise infrastructure that supports the
embedded device. For more information visit www.sans.org December 10 - 16, 2010 • Washington, DC
• Disaster Recovery and Business Continuity