A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 13 Breadcrumb Home Insights Blog Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 13 October 21, 2016 Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 13 In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering: CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection The Control The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. The Attack Data protection is the key to why security is so important. In the triad of CIA (Confidentiality, Integrity and Availability) perhaps the most critical component is the confidentiality of the data organizations have on their products, customers or business ventures. Integrity and availability are important as well, but when a breach occurs and organizational data is leaked to the world, it can be one of the biggest hits to a company’s reputation. A lot of controls work together, and CSC 13 does share similarities with CSC 12: Boundary Defense. For that purpose this post will focus less on the components that overlap and more on the unique metrics that organizations can implement to improve security. For my example attack in this blog post, I will show a policy violation surrounding data loss prevention (DLP). Often this is not done out of malicious intent, but I have seen this situation in real organizations. There are several scenarios where employees may access sensitive data and inadvertently break DLP policies exposing secure information, such as: Downloading a file Printing data Saving a screenshot Figure 1: Saved data Often the information systems which are configured to house sensitive data are also configured with strong security mechanisms to prevent unauthorized access to data. When data is downloaded, printed or copied in any form from the environment, the security controls protecting the data are generally no longer in place. As a result, if an attacker can gain access to employee’s workstations through some attack such as email phishing, then the attacker would be able to access the data much easier than trying to break into the system where the data is most protected. The Solution For the above scenario, it takes a combination of technology and policy in order to effectively secure data. Organizations should employ defense-in-depth in order to protect data as much as possible and assume that it is possible for data to leak from its primary secured storage locations. A few of these defense-in-depth technologies/policies include: Encrypting data as rest Strong encryption key management Full disk encryption (FDE) on mobile devices Restrict access to file upload and transfer sites Disable USB write access Implement a network-based DLP solution configured on a network SPAN port Additionally, organizations should periodically scan for data on systems which it is not intended to be on employee workstations. This can be done with a continuous monitoring tool but should be validated occasionally with full system scans to identify RegEx patterns which match the privileged information the company is attempting to protect (i.e. credit cards or social security numbers). A strong method to go about validating that data is protected within the organization includes: Implementing strong technology solutions to prevent the leaking of privileged information Consistent staff training of privileged data handling processes and policies Making sure that data is only where it is intended and is encrypted The next post will cover CSC 14: Controlled Access Based on the Need to Know. By: Joshua Platz Principal Security Consultant | Optiv Joshua Platz is a principal security consultant in Optiv’s advisory services threat practice on the attack and penetration team. Joshua’s role is to execute advanced service offerings such as the advanced threat simulation purple team activity and provide thought leadership and mentorship to the practice. Joshua also executes internal and external network penetration testing, enterprise password audits, and was one of the designers and first executers of the attack surface management offering. Share: Hacker Penetration Testing Cyber Attack Center for Internet Security Threat CIA Triad Encryption