Monday, December 10, 2012

Manageable Network, Critical Security Controls and NIST SP 800

Now it is the time we are so close to leave 2012 and count down to the new year, I think this is the time when I might sum up what we've seen so far in NIST Special Publications, be it as final, revised or draft release (latest count at 25). As all security practitioners would agree, SP 800s are the definitive guidelines in order to achieve all perspectives of GRC no matter what IT, financial and legal obligations the corporations need to adhere to, such as SOX, HIPAA, PCI-DSS.

Before we get to the details of those documents, let's start from the very foundation: the enterprise network. Over the years as a network and security professional, one thing I always do on any network I have managed is the "documentation". You may have the state-of-the-art installation in top-notch data center, but without the proper and updated documentation, you are just a sitting duck. To be clear, documentation "is not" the thick user manuals you received from the vendors or other documents to serve the same purpose.

The IT network documentation should be one or more of the following documents.
  • System configuration and procedure
  • Asset inventory
  • BC and DR
  • Security policies and procedures
More granular list can be found here. So what is my point of bring up the issue of not having appropriate documentation? These are my answers to that.

  1. You can't scale your infrastructure according to data growth
  2. You can't protect your network if you don't know what you have
  3. You can't sustain working environment if you don't have contingency plans
Having said that, implementing a successful documentation is not a mundane task if you follow a structured approach like this one published by NSA. The document (currently at version 2.2, published on 5 April 2012) itself is aptly named as The Manageable Network Plan and the page worthy of all your attention is at 3. You will see there are several milestones for you to counter.
  1. Prepare to document
  2. Map your network
  3. Protect your network
  4. Reach your network
  5. Control your network
  6. Manage your network, Patch Management
  7. Manage your network, Baseline Management
  8. Document your network
Now we can assign certain NIST SPs to each of the milestone to accomplish. These will also align with SANS 20 Critical Security Controls Version 4.0 in respective criteria.

CSIS: 20 Critical Security Controls - Version 4.0

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Malware Defenses
  6. Application Software Security
  7. Wireless Device Control
  8. Data Recovery Capability
  9. Security Skills Assessment and Appropriate Training to Fill Gaps
  10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  11. Limitation and Control of Network Ports, Protocols, and Services
  12. Controlled Use of Administrative Privileges
  13. Boundary Defense
  14. Maintenance, Monitoring, and Analysis of Audit Logs
  15. Controlled Access Based on the Need to Know
  16. Account Monitoring and Control
  17. Data Loss Prevention
  18. Incident Response and Management
  19. Secure Network Engineering
  20. Penetration Tests and Red Team Exercises

The following mapping is to help you get your milestones in organized manner.

MilestoneSecurity ControlSP 800
Prepare to document
Map network153
Protect network5,13,1953,94,153
Reach network117
Control network12,14,1653
Patch management453,40,137
Baseline management2,3,6,1053,121,124,147,164
Document network
Note - Mainly focused on documents released in 2012. Other related publications should be consulted too.

VoilĂ . Now you are on better side of the network management and you can move forward with optimizing what you have in hand. Let's split the tasks into 3 types of management:
  1. Risk Management
  2. Security Management
  3. Governance
For each management, we can map them in same way as above milestones.
Risk Management


Milestone
Security Control
SP 800
Backup strategy
8

Incident response and disaster recovery plans
18
34,61,83
Training
9
16,50

Security Management


Milestone
Security Control
SP 800
Virus scanners and HIPS
5

BYOD/BYON
5,17
124
Data-at-rest protection
17

NAP/NAC
1,5

SIEM
14
92
Perimeter defence
11,13
41
Policies and procedures


App whitelist/blacklist
2

Remote access security
7
48,97,121

Governance


Milestone
Security Control
SP 800
Configuration and Change Management
3,10
128
Audit strategy

55

Once you arm yourself with these milestones and controls, you could tackle not only today's network-related issues but also future expansion, effectively and efficiently. You will be ready for upcoming Bring-Your-Own-Device or Bring-Your-Own-Network in Generation Z workplace with flexible and comprehensive procedures while keeping your shields up without falling victims of hacktivism.

Here we are. Merry Christmas and Happy New Year !!!
Posted by at
Labels: , , , , , , , , , , , , , , , , , , ,