Monitoring your organization against threats - Critical System Control

50 %
50 %
Information about Monitoring your organization against threats - Critical System Control

Published on April 24, 2014

Author: MarcAndreHeroux



Organizations are facing various types of threats. Threats can come from inside, outside your organization or from both. This article focus on monitoring informational resources against all types of threats against your critical functions supported by computer equipment such as servers, desktops, switches, routers, firewalls, etc.

S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 1 Monitoring your organization against threats Critical System Control Montreal, April 24, 2014 By Marc-Andre Heroux CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM Compliance & Security Advisor ll organizations are facing various types of threats. Threats can come from inside, outside your organization or from both. This article focus on monitoring informational resources against all types of threats threatening your critical functions supported by electronic assets such as servers, desktops, switches, routers, firewalls, etc. Today, some people think that keeping a system or a state hidden make a system more secure. Probably because of my own experiences and knowledge about Cyber Security, I see things little bit differently from many other experts. Over the last 17 years, I have implemented and conducted security assessments against many types of critical systems, and often connected to the Internet. Critical public systems such as DNS, Web, Mail, VPN using various types of authentication mechanisms such as saslauthd, oauth2, SAML, etc. against Oracle, MySQL, MS-SQL and using many types of technologies such as secure LDAP or SSL can be easily discovered by attackers. Why monitoring for potential threats? Simple: organizations are getting more and more interconnected and thinking that the obscurity can be considered as a security control is similar to me to ignoring the new reality of Interconnected Networks and the risk surrounding the Internet. As a security specialist I share the same approach as the Kerckhoffs's principlei , also formulated by Claude Shannon as the enemy knows the system and widely used by cryptographers as opposed to security by obscurity: “a critical system can be known and be secure. For a critical system connected to the Internet, I recommend to keep it up-to-date (ex.: latest kernels, modules, etc.), continuously monitor against threats and abnormal activities and correct issues when detected by the implementation or the correction of a physical, operational, administrative or technical control. I do also recommend to use application control such as whitelisting and implement an IPS (if data flow are critical, IDS mode is usually preferable). For critical system not connected to the Internet or not connected to a network (no access in, no access out), my recommendations are different and vary in function of many elements. This article explain you what are the basics elements you may have to consider to choose the proper controls. Lock and monitor Most knowledgeable security specialists understand that we “monitor” traffic for critical activities such as bank transactions, Programmable Logic Controller (PLC) and critical computers used by industrial organizations (e.g.: energy) with IDS and that we do not use IPS. Such experts understand when it is preferable to use an IPS (often against Internet threats in TCP segments and never on against frames of internal networks when critical system are involved (e.g.: Ethernet II). This apply to all organizations conducting critical activities such as banks, energy, industrial, etc. Monitoring traffic is crucial and is often mandatory (e.g.: NERCii ). Filtering and A

S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 2 A u t h o r : M a r c - A n d r e H e r o u x Monitoring your organization against threats Critical System Control blocking malicious traffics is often optional, but I usually suggest IPS to detect and block threats in incoming/outgoing traffics from boundaries of critical perimeters (e.g.: Internet to Intranet, Intranet to critical perimeter gateways), but never in electronic security perimeters (ESP) where blocking valid traffics could lead to various operational disaster scenarios. Security and Compliance involve by default: exception, justification and compensatory measures. In all organizations, there are situations where it is considered more secured with reason to not apply any changes to a specific system (ex.: a HSM bank system remain usually unchanged, mainframes and Unix systems are other examples, especially in industrial organizations (ex.: in the energy sector, Technical Feasibility Exceptions (TFE) can justify the exemption of running a protective control such as an anti-malware or applying any update like system or firmware update, etc.). Security paradigm Despite it is usually considered unsecured to keep a system unchanged, sometimes, it is the only way to keep it to an acceptable security posture considering the potential impacts of loss, especially when systems are isolated and very critical. In those situations, a justification (e.g.: ticket, derogation, statement of applicability, etc.) must be provided in order to document the reasons and duration of the exception in time. An organization can be compliant and secure while system are unchanged during a long period of time (e.g.: years) and it is important to understand this reality in large corporations conducting critical activities. Not all systems can remain secured while unchanged, usually systems isolated in restricted networks or not interconnected to a computer network are valid examples. This is where compensatory measures are especially important (e.g.: the Stuxnet virusiii was able to infect critical systems, particularly because of a lack of procedures surrounding the acceptable uses of USB keys). The uses of USB keys against critical systems must be strictly controlled and ideally avoided. The use of an infected USB key could be very risky lead to disclosure and modification of information and in some cases, to system dis-functionality and disruption. It appears that good practices and appropriate procedures in the management of critical system permits to many organizations to remain safe against technical threats while monitoring abnormal activities. For critical system, we often suggest to apply controls to maintain a system unchanged and monitor it to abnormal behaviours or modifications. As opposed to general security practices suggesting regular systems updates, critical systems (ex: industrial, bank) must remain unchanged during a long period and be monitored for abnormal activities or behaviours. This approach: “controlling and monitoring” can be very effective. Technically, the most challenging aspects while controlling and monitoring activities, are selecting the proper controls (e.g.: McAfee Application Control, Tripwire, etc.), IDS location (e.g.: boundaries of IDSIDS sensor

S e c u r i t y a n d C o m p l i a n c e : M o n i t o r i n g , c o n t r o l l i n g , a n d c h a n g e s P a g e | 3 A u t h o r : M a r c - A n d r e H e r o u x Monitoring your organization against threats Critical System Control perimeters) where the sensors send capture logs, the sensors emplacement and the type of traffic to monitor (e.g.: UDP, TCP, Ethernet II). Remember, monitoring local traffic is necessary to be able to detect layer 2 threats (e.g.: MAC Address attack). As already mentioned, in certain circumstances, especially for critical electronic assets, a machine can remain out of date (kernel, modules, etc.) and it can be justified, considered acceptable and secure based on the threats and i David Salomon, “Kerckhoffs's principle” Data Privacy and Security: Encryption and Information Hiding , 2003, ISBN 0-387-00311-8, P. 15,435. ii North American Electric Reliability Corporation (NERC) CIP-005-4 R3, Monitoring Electronic Access vulnerabilities assessed. It’s important to remember that this concept is applicable to all organizations. Updating a system is not necessarily the option to consider while at other moment, change the only acceptable way to remain secure. Finally, while often mandatory, monitoring against threats is a crucial security activity that all organizations can benefit. iii Katherine Hibbs Pherson, Randolph H Pherson, “PART V: CASE STUDIES” Critical Thinking For Strategic Intelligence, 2013, 1st ed., 978-1452226675 P. 240.

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

trend Micro dEFEndIng agaInST nEW RanSomWaRE ThREaTS

Page 1 of 4 • solution brief • DefenDing AgAinst new RAnsomwARe thReAts ... advanced monitoring of incoming ... your organization against ...
Read more

Controls Against Program Threats | Program Security | InformIT

CONTROLS AGAINST PROGRAM THREATS. ... it is required in some regulated and critical ... And Pfleeger and Hatton report that an air traffic control system ...
Read more

ABB Advanced Services Cyber Security Fingerprint Protect ...

gathering data from critical system ... Protect against security threats Control system ... demand security KPI monitoring. Contact your ABB service ...
Read more

Protecting your organization from advanced threats

... Protecting your organization from advanced threats ... each organization, but each guise of critical information can be ... control (C&C) details. All ...
Read more

215 Secure - Threat Monitoring

Regardless of industry type it is critical to monitor the network to protect against attacks and ... Access Control; Domain Threat Monitoring ...
Read more

Critical Controls for Effective Cyber Defense

Critical Controls for Effective Cyber Defense ... strengthening your organization’s defensive posture through continuous, ... Critical&Control&1: ...
Read more

Data Center Security - Server Security | Symantec

Symantec's Data Center Security family ... impact it has against you and your organization. ... monitoring; Gain visibility, control ...
Read more

Critical Controls for Effective Cyber Defense - SCADAhacker

Critical Controls for Effective Cyber ... Critical Control 14: Maintenance, Monitoring, ... to strengthen the defensive posture of your organization’s
Read more

Managed Security Services | Symantec

Symantec Managed Security Services helps to determine which events are most dangerous and critical to your organization. ... Industrial Control System ...
Read more