Reducing Real Risk in the Cyber World

1

• Reducing Real Risk in the Cyber World
• or
• STOP THE BLEEDING FIRST!!
• Franklin S. Reeder
• reeder_at_bellatlantic.net

2
Affiliations and disclaimers

• Information System Security and Privacy Advisory
  Board http//csrc.nist.gov/csspab
• Center for Internet Security www.CISecurity.org
• Personal

3
Managers are frustrated about how to manage
security

• What do I need to do?
• How much is enough?
• Who can I trust?
• How can I resolve the conflicting advice Im
  receiving from the experts?
• How can I get beyond what seems like a cycle of
  futility?

4
Security staff is frustrated

• All management wants is operational performance
  and convenience
• People dont understand the inherent tension
  between security and usability
• Management is reinforcing the wrong psychology
• Vendor security defaults are useless
• Staff time is consumed with installing patches
  and investigating intrusions

5
Everyone is frustrated

• About how to deal with a problem of global scope
  in a world focused on narrow competitive
  self-interest

6
To make it worse, we have met the enemy, and it
is us

• Through 2005, 90 percent of cyber attacks will
  continue to exploit known security flaws for
  which a patch is available or a preventive
  measure known.
• Gartner Group, May 6, 2002

7
Whats the problem? Plenty of standards are
available

• ISO 17799
• COBIT from ISACA
• SysTrust, WebTrust from AICPA
• FISCAM from GAO
• Principles and Practices for Security of IT
  Systems from NIST
• Standard of Good Practice from ISF

8
The devil is in the granular details that these
standards dont address
9
Redefining the risk management paradigm
10
Are we facing a cyber Pearl Harbor? Probably not

• More like a hurricane (s)
• Localized
• Potentially intense
• Affecting a community not necessarily defined by
  geography

11
The old approach

• Zero-based risk assessments
• Identified
• Vulnerabilities
• Threats
• Probabilities

12
A new way of approaching risk

• Vulnerability-based
• Recognizes
• Common risks
• Shared or community risks

13
A new vocabulary

• Common risks exposures that everyone who
  operates a particular technology incurs
• Shared risks damage that you can inflict on
  others as a result of vulnerabilities in your
  systems and vice versa

14
The simple message

• You dont have to do a zero-based risk assessment
  to know that you should deal with common and
  shared risks

15
Stop the BLEEDING first
16
What are the business drivers

• In the private sector
• Tort liability
• Insurability
• Reputational risk
• Financial exposure
• In the public sector
• Mission
• Political risk/public confidence

17
Emerging

• A new notion of due care

18
The Center for Internet Security (CIS)

• Formed in October 2000
• A not-for-profit membership consortium of users
• No commercial self interest
• Focused on the common needs of the global
  Internet community
• Knowledge transfer from haves to have-nots
• Prevent undue influence by commercial vendors
• Convene and facilitate consensus on detailed
  operational best practices
• Modeled after other community initiatives, e.g.,
  transportation safety

19
Responding to the challenge

• Need to develop and proliferate detailed
  operational best practices
• The only true solution is to raise the bar
  everywhere--globally
• Private sector wont trust govt to do it
• Private sector companies dont trust each other
  because of competitive self-interest

20
Some of the participants in the consensus effort

• Government
• National Institute of Standards and Technology
• Infocomm DevelopmentAuthority of Singapore
• Naval Surface Warfare Center
• US Treasury Financial Management Service
• Washington State Dept. of Health
• US Army Corps of Engineers
• Defense Info Sys Agency
• Federal Reserve System

• NASA
• Australian Natl Audit Ofc
• US Dept of Justice
• Library of Congress
• Royal Canadian Mounted Police
• Communications Security Establishment (Canada)
• Canadian CERT
• GSA
• NSA
• FBI/NIPC
• FedCIRC
• State of Maryland

21
Participants (contd)

• Allegheny Energy
• Baltimore Gas Electric
• Pitney Bowes
• Component Graphics
• eScout.com
• Emprise Technologies
• REDW Technologies
• Educational Testing Svc.
• Financial Models Co.
• Agilent Technologies
• Shell Info. Tech. Intl
• PeopleSoft
• News Corporation

• Commercial
• Eastman Kodak
• Pacific Gas Electric
• SASKTel
• Lucent Technologies
• LGE Energy
• Hallmark
• Chevron
• Intel
• Vulcan Materials
• Mrs. Smiths Bakeries
• Caterpillar
• Intuit
• NCR

22
More (contd)

• Finance/Insurance/Healthcare
• VISA
• Allstate
• First Union Corporation
• Natl Life Assurance Co of Canada
• U.S. Central Credit Union
• Union Bank of California
• City National Bank (LA)
• Baylor College of Medicine
• Swiss Reinsurance Co (SwissRe)

• Consulting/Service
• Permeo Technologies
• WorldPort (Ireland)
• Guardent
• Procinct Security
• Server Vault
• Grant Thornton
• Integralis Ltd (England)
• Solutionary
• Polivec

23
More (contd)

• Universities
• Institute for Security Technology Studies at
  Dartmouth
• Virginia Tech
• Monash University (Australia)
• University of Alabama at Birmingham
• University of Missouri
• Blenkinge Inst. of Technology (Sweden)
• Utah State University
• University of California, SF
• New York University

• Consulting/Service
• PricewaterhouseCoopers
• Deloitte Touche
• ISS
• Symantec
• BindView
• Harris
• NetIQ
• VIGILANTe
• SecureNet Solutions
• Computer Sciences Corp.

24
Auditing Participants

• Information Systems Audit and Control Association
  (ISACA)
• American Institute of Certified Public
  Accountants (AICPA)
• Institute of Internal Auditors (IIA)

25
The consensus process

• Focus on real world user needs
• Form a team for each environment
• Dedicated email dialogue
• Conference calls
• Start with whatever best practice guidelines are
  available
• Refine via discussion revise until consensus is
  reached
• Produce a benchmark and a scoring tool
• Make them available free to everyone

26
What has collaboration achieved so far?
27
Currently available

• Level I Configuration Benchmarks
• Solaris
• Linux
• HP-UX
• Windows NT
• Windows 2000
• Cisco Router IOS

28
Solaris 3.17 Turn on inetd tracing, or
disable inetd if possible Action cd
/etc/init.d if s /etc/inet/inetd.conf
then awk '/\/usr\/sbin\/inetd/ \ 1
"/usr/sbin/inetd -t" print ' inetsvc
gtnewinetsvc else rm f /etc/inetd.conf
/etc/inet/inetd.conf awk '/\/usr\/sbin\/inetd/
\ 1 "/usr/sbin/inetd -t" print '
inetsvc gtnewinetsvc fi chown rootsys
newinetsvc chmod 744 newinetsvc rm f
/etc/rc2.d/S72inetsvc ln s /etc/init.d/newinetsvc
/etc/rc2.d/S72inetsvc Discussion If the actions
in Section 2 of this benchmark resulted in no
services being enabled in /etc/inet/inetd.conf,
then we may as well disable the inetd service
completely on this system. In any event, it is a
good idea to make use of the "tracing" (-t)
feature of the Solaris inetd that logs
information about the source of any network
connections seen by the daemon. This information
is logged via Syslog and the administrator must
specifically configure the system to capture this
information (see Item 5.2 below).
29
A Level I Benchmark

• Can be implemented by a sysadmin of any level of
  security expertise
• Can be monitored by a compliance tool
• Is not likely to break any function
• Represents a baseline level of security

30
Currently available

• Gold Standard Benchmarks
• W2K Professional Level II
• W2K Server Level II
• CISCO Router IOS Level I/II
• Solaris Level I

31
Currently available

• Configuration Scoring Tools
• Solaris
• Linux
• HP-UX
• Windows NT
• Windows 2000 Server
• Windows 2000 Professional
• Cisco Router IOS

32
(No Transcript)
33
Under development

• Benchmarks and Scoring Tools for
• Apache
• Windows IIS
• Catalyst Switches
• PIX Firewall
• Check Point FW-1
• Windows NT Gold Standard
• Oracle
• SQL Server
• Juniper Router

34
Coming later

• Applications
• Appliances

35
Remember this quote?

• Through 2005, 90 percent of cyber attacks will
  continue to exploit known security flaws for
  which a patch is available or a preventive
  measure known.
• Gartner Group, May 6, 2002

36
The good news Research concludes that 80-90 of
known vulnerabilities are blocked by the security
settings in the consensus benchmarks. There is
an abundance of low-hanging fruit we all can pick
to substantially reduce our risk of unauthorized
intrusion.
37
Research methodology

• (1) Scan a system out of the box and list
  identified vulnerabilities
• (2) Configure the system with the appropriate
  benchmark
• (3) Rescan the system and note the
  vulnerabilities remaining

38
This case Study is available at www.cisecurity.org
39
Another study (NSA)
Reduction 96 90 50
91
40

• Yet another study (Mitre)
• Windows 2000 Professional Gold Standard
  configuration reduced CVE vulnerabilities by 83

41
IA Newsletter describing the NSA and Mitre studies

• Vol 5, Number 3, Fall 2002
• http//iac.dtic.mil/iatac/news_events/ia_newslette
  r.htm

42
Encouraging signs

• Federal govt adoption of CIS benchmarks and
  tools
• VISA adoption of CIS benchmarks for its
  Cardholder Information Security Programs Digital
  Dozen
• Progress at the vendor level
• Dell
• Microsoft

43
What you can do

• Adopt security best practices wherever you find
  them The Center for Internet Security
  benchmarks and scoring tools available free at
  http//www.cisecurity.org
• Focus your energies on matters unique to your
  organization
• Share your knowledge - Work with the user
  community for everyones benefit the bad guys
  communicate with each other shouldnt we?