All security standards and conformity criteria for Corporate Governance, such as PCI DSS, GCSX CoCo, SOX (Sarbanes Oxley), NERC CIP, HIPAA, HITECH, GLBA, ISO27000 and FISMA require devices such as PCs, Windows server, Unix servers, network devices such as firewalls, Intrusion Protection systems (IPS) and routers to be safe in so that they protect confidential data safe.
There are a number of buzzwords in use in this area - security vulnerabilities and Device Hardening? 'Hardening' a device requires safety note 'vulnerability' to be eliminated or mitigated. A vulnerability is any weakness or flaw in the software design, implementation or management of a system that provides a mechanism for a threat to exploit the weakness of a system or process. There are two main areas to be addressed in order to eliminate security vulnerabilities - the configuration settings and software faults in the program and the operating system files. Delete both vulnerabilities require 'remediation' - typically a software update or patch for the program files or operating system - or 'mitigation' - a change of the configuration settings. Hardening is required equally for servers, workstations and network devices such as firewalls, switches and routers.
How do I identify vulnerabilities? A vulnerability scan or external penetration testing will report on all the vulnerabilities apply to systems and applications. You can buy in the scanning / pen 3rd Party testing services - test pen by its nature is done externally via the public internet as this is where any threat would be exploited by. vulnerability scanning services must be delivered in situ on site. This can be done by a 3rd Party consultant with the hardware scan, or you can purchase a 'black box' solution whereby a scanning device is permanently located within the network and scans are remote provisioning. Of course, the results of any scan are only accurate at the time of scanning, which is why the solutions that track continuously configuration changes are the only real way to ensure the safety of your property is maintained.
What is the difference between 'cleaning up' and 'mitigation'? 'Drainage' of a vulnerability determines the defect of being removed or fixed permanently, so this term is applied generally to any software upgrade or patch. Patch management is increasingly automated by the operating system and product development - as long as you implement patches when released, then incorporated vulnerabilities will be remediated. As an example, the recently reported Operation Aurora, classified as Advanced Persistent Threat, or APT, managed to infiltrate Google and Adobe. A vulnerability in Internet Explorer was used to plant the malware on the targeted PC users that allowed access to sensitive data. Remediation for this vulnerability is to '' fix by using Microsoft Internet Explorer patches released. Vulnerability 'mitigation' via configuration settings ensures vulnerabilities are disabled. configuration vulnerabilities are not based on more or less potentially harmful than those that need to be remediated by a patch, even if a securely configured device could mitigate a program or a threat based on the operating system. The biggest problem with the configuration-based vulnerabilities is that they can be returned or enabled at any time - just a few clicks are needed to change most of the configuration settings.
How often new vulnerabilities are discovered? Unfortunately, all the time! Worse, often the only way in which the global community discovers a vulnerability is after a hacker has discovered and exploited it. And 'only when the damage has been done and the hack traced back to its source that a preventative course of action, both of patches or configuration settings, can be formulated. There are various centralized repositories of threats and vulnerabilities on the web such as the MITRE CCE lists and many security product vendors compile reports on real-time threat or Web sites "center of the storm.
So all I have to do is work through the checklist and then I'm sure? in theory, but there are literally hundreds of known vulnerabilities for each platform, and even in a small iT company, the task of monitoring the hardened state of each device is a task almost impossible to conduct manually.
Although automate the scanning task vulnerability using a scan tool to identify how hardened devices are first starting out, you will still have some work to do to mitigate and fix vulnerabilities . But this is only the first step - if you consider a typical configuration vulnerabilities, for example, a Windows Server should have the Guest account disabled. If you run a scan, identify where this vulnerability exists for the devices, and then take steps to mitigate the vulnerability by disabling the Guest account, then you will have hardened these devices. However, if another user with administrator privileges then accesses these same servers and reactivates the Guest account for any reason, it will then be left exposed. Of course, you do not know that the server has been made vulnerable until you next run a scan that can not be for another three months or even 12 months. There is another factor that has not yet been covered which is how do you protect your system against an internal threat - more later.
Therefore, the management of the narrow change is essential to ensure we remain compliant? In fact - Section 6.4 of the PCI DSS describes the requirements for a formally managed Change Management process for this reason. Any changes to a server or network device can have an impact on the state 'hardened' of the device and therefore it is essential that this is considered when making changes. If you are using a continuous tracking solution configuration changes then you will have an audit trail available giving you 'closed loop' change management - so the details of the approved change is documented, along with details of the exact changes that are actually been applied. In addition, the modified devices will be re-assessed for vulnerabilities and their compliance status confirmed automatically.
What about internal threats? Cybercrime is joining the league organized crime, which means that this is not only to stop malicious hackers demonstrate their skills as a fun hobby! Firewall, Intrusion Protection Systems, antivirus software and fully implemented device hardening measures will still not stop or detect a rogue employee who works as a 'man inside'. This kind of threat can cause malware is introduced to otherwise secure systems of an employee with administrator rights, or backdoor program in core business applications. Similarly, with the advent of Advanced persistent threats (APT), as advertised hack 'Aurora' using social engineering to trick employees into introducing malware 'Zero-Day'. threats 'Zero-Day' exploit previously unknown vulnerabilities - a hacker discovers a new vulnerability and formulates an etching process to exploit it. The job then is to understand how the attack occurred and especially as a remedy or mitigate future re-occurrences of the threat. By their nature, anti-virus measures are often powerless against "zero-day" threats. In fact, the only way to detect this type of threat is to use the file-integrity monitoring technology. "All the firewalls, Intrusion Protection Systems, anti-virus and Process Whitelisting technology around the world will not save you from an internal hack orchestrated in which the author has administrator rights to key servers or legitimate access to the code of ' application - file integrity monitoring used in combination with the control of the Strait changes is the only way to govern properly of sensitive payment card systems, "Phil Snell, CTO, NNT
See our other whitepaper 'file integrity monitoring - the last defense line of the PCI DSS' for more background of this area, but this is a brief summary -Clearly, is important to check all add, modify and delete files as any change can be significant in compromising the security of a host. This can be achieved by monitoring any changes should be attributes and the size of the file.
However, since we are trying to prevent one of the most sophisticated types of hack we need to introduce a completely infallible means to ensure the integrity of files. This requires for each file to be 'DNA fingerprint', typically generated using a Secure Hash Algorithm. A Secure Hash Algorithm, as SHA1 or MD5, produces a single value, hash based on the contents of the file, and ensures that it will be also noted that changing a single character in a file. This means that even if a program is modified to expose payment card data, but the file is then 'stuffed' to make the same size as the original file and all the other modified attributes to make the file look and feel the same, the changes will be still exposed. This is why the PCI DSS makes File Integrity Monitoring a mandatory requirement and why it is increasingly considered as a component of vital importance for the security of the system, such as firewalls and anti-virus defenses.
Conclusion Device hardening is an essential discipline for any organization serious about security. In addition, if your organization is subject to any corporate governance or formal safety standards, such as PCI DSS, SOX, HIPAA, NERC CIP, ISO 27K, GCSX Co Co, then hardening device will be a mandatory requirement. - All servers, workstations and network devices must be hardened through a combination of software patch configuration and deployment settings - Any changes to a device can adversely affect its hardened state and make your organization exposed to security threats - monitoring file integrity must also be used to mitigate threats 'zero-day' and the threat from 'Inside man' - lists of vulnerability check will change regularly as new threats are identified
0 Komentar