Critical Security Controls: Part 2 (with Brian Ventura)

Oct 31, 2016

Critical Security Controls: Part 2 (with Brian Ventura)

ADVANCED PERSISTENT SECURITY PODCAST

EPISODE 24

GUEST: Brian Ventura

October 31, 2016

If you enjoy this podcast, be sure to give us a 5 Star Review and “Love Us” on iTunes; Like us on Google Play, Stitcher, Sound Cloud, Spreaker, and YouTube.
NOTE: The opinions expressed in this podcast are ours alone and do not reflect those of our employers
NOTE: This series was originally intended to be a single episode. Because we recorded in excess of three hours of content, we decided (after the fact) to split this into 2 episodes.

Critical Security Controls: Part 2 SHOW NOTES

PART 1

Controls:

6. Maintenance, Monitoring, and Analysis of Audit Logs

7. Email and Web Browser Protections

8. Malware Defenses

9. Limitation and Control of Network Ports, Protocols, and Services

10. Data Recovery Capability

Controls 6 through 10 deal mostly with system level controls. We pick up where we left off and continue the discussion, immediately jumping into a discussion about logging. We discuss protection of logs, meaningful logging, and the need for correlation. We shift to email and browser protection. This leads to discuss scripting languages, BeEf mitigations, and the need for whitelisting. We talk about the role of Sender Policy Framework (SPF) and its role in eliminating spam. We discuss how to prevent modern malware mitigation techniques aside from conventional malware and limiting removable media such as USB flash drives, CDs, etc. The correlation between control 9 and control 2 is found and we discuss limiting ports and protocols and using them for service discovery. The final control in this section discusses the ability to actually recovery from a backup at the server level or higher.

PART 2

Controls:

11. Secure Configurations for the Network Devices such as Firewalls, Routers, and Switches

12. Boundary Defense

13. Data Protection

14. Controlled Access Based on the Need to Know

15. Wireless Access Control

Controls 11 through 15 deal mostly with networking level controls. We discuss the conversation to be had with the networking teams dealing with secure configurations, multi-factor authentication (MFA), VLANs, patching, and updating systems. In terms of Boundary Defense, we discuss internal (East/West) and external (North/South) boundary defense. Brian talks about Data Loss Prevention (DLP) versus Data Protection. We talk about account management, provisioning and de-provisioning accounts, and expiration of accounts. The discussion about wireless access control takes wireless effective range, cryptography, and key management.

PART 3

Controls:

16. Account Monitoring and Control

17. Security Skills Assessment and Appropriate Training to Fill Gaps

18. Application Software Security

19. Incident Response and Management

20. Penetration Tests and Red Team Exercises

Account monitoring and control yields much of the same as previous sections in that the organization MUST define policies for account management and monitoring. There must be controls in place to protect the user and the organization from credential attacks. With regards to Security Skills Assessment and Appropriate Training to Fill Gaps, we are both biased as we both have upcoming SANS courses. We discuss some other alternatives. From the aspect of training, Joe advocates that organizations put the exact desired responses from the user into annual training and awareness programs. We discuss the overview of Application Security (Refer to Episode 16: Introduction to Application Security with Frank Rietta for more information). We talk about the necessity for Incident Handling and Response via strong policy and testing. The final control sees us talk about the maturity required to actually make use of Penetration Testing. If an organization fails to be mature enough to make meaningful use of the other controls, penetration testing is likely to not be the answer.

ABOUT BRIAN

Critical Security Controls: Part 2 (with Brian Ventura) — Brian Ventura

Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP and GCCC, as well as other industry certifications. As the Director of Education, Brian coordinates relevant local and online training opportunities.

CONTACTING BRIAN:

Twitter: @brianwifaneye

Brian’s SANS Instructor Profile

Brian’s SANS Courses:

SEC440: Critical Security Controls: Planning, Implementing and Auditing (2 day course in Pittsburgh, PA: February 1 and 2, 2017)

SEC566: Implementing and Auditing the Critical Security Controls – In-Depth (5 day course in Seattle, WA: February 6 through 10, 2017)

LINKS TO RESOURCES MENTIONED:

Australian Signals Directorate 35 Strategies to Mitigate Cyber Intrusions

CSA Treacherous 12 (PDF)

OWASP Top 10

OWASP ASVS 3.0 (PDF)

National Cyber Security Awareness Month (Stay Safe Online)

CIS Critical Security Controls

Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Enter your email address:

Delivered by FeedBurner