Critical Security Controls: Part 2 (with Brian Ventura)
ADVANCED PERSISTENT SECURITY PODCAST
GUEST: Brian Ventura
October 31, 2016
If you enjoy this podcast, be sure to give us a 5 Star Review and “Love Us” on iTunes; Like us on Google Play, Stitcher, Sound Cloud, Spreaker, and YouTube.
NOTE: The opinions expressed in this podcast are ours alone and do not reflect those of our employers
NOTE: This series was originally intended to be a single episode. Because we recorded in excess of three hours of content, we decided (after the fact) to split this into 2 episodes.
Critical Security Controls: Part 2 SHOW NOTES
6. Maintenance, Monitoring, and Analysis of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols, and Services
10. Data Recovery Capability
Controls 6 through 10 deal mostly with system level controls. We pick up where we left off and continue the discussion, immediately jumping into a discussion about logging. We discuss protection of logs, meaningful logging, and the need for correlation. We shift to email and browser protection. This leads to discuss scripting languages, BeEf mitigations, and the need for whitelisting. We talk about the role of Sender Policy Framework (SPF) and its role in eliminating spam. We discuss how to prevent modern malware mitigation techniques aside from conventional malware and limiting removable media such as USB flash drives, CDs, etc. The correlation between control 9 and control 2 is found and we discuss limiting ports and protocols and using them for service discovery. The final control in this section discusses the ability to actually recovery from a backup at the server level or higher.
11. Secure Configurations for the Network Devices such as Firewalls, Routers, and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
Controls 11 through 15 deal mostly with networking level controls. We discuss the conversation to be had with the networking teams dealing with secure configurations, multi-factor authentication (MFA), VLANs, patching, and updating systems. In terms of Boundary Defense, we discuss internal (East/West) and external (North/South) boundary defense. Brian talks about Data Loss Prevention (DLP) versus Data Protection. We talk about account management, provisioning and de-provisioning accounts, and expiration of accounts. The discussion about wireless access control takes wireless effective range, cryptography, and key management.
16. Account Monitoring and Control
17. Security Skills Assessment and Appropriate Training to Fill Gaps
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
Account monitoring and control yields much of the same as previous sections in that the organization MUST define policies for account management and monitoring. There must be controls in place to protect the user and the organization from credential attacks. With regards to Security Skills Assessment and Appropriate Training to Fill Gaps, we are both biased as we both have upcoming SANS courses. We discuss some other alternatives. From the aspect of training, Joe advocates that organizations put the exact desired responses from the user into annual training and awareness programs. We discuss the overview of Application Security (Refer to Episode 16: Introduction to Application Security with Frank Rietta for more information). We talk about the necessity for Incident Handling and Response via strong policy and testing. The final control sees us talk about the maturity required to actually make use of Penetration Testing. If an organization fails to be mature enough to make meaningful use of the other controls, penetration testing is likely to not be the answer.
Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP and GCCC, as well as other industry certifications. As the Director of Education, Brian coordinates relevant local and online training opportunities.
Brian’s SANS Courses:
SEC440: Critical Security Controls: Planning, Implementing and Auditing (2 day course in Pittsburgh, PA: February 1 and 2, 2017)
SEC566: Implementing and Auditing the Critical Security Controls – In-Depth (5 day course in Seattle, WA: February 6 through 10, 2017)
LINKS TO RESOURCES MENTIONED:
Australian Signals Directorate 35 Strategies to Mitigate Cyber Intrusions
CSA Treacherous 12 (PDF)
OWASP Top 10
OWASP ASVS 3.0 (PDF)
National Cyber Security Awareness Month (Stay Safe Online)
CIS Critical Security Controls
GARY MCGRAW BOOKS
Software Security: Building Security In
Building Secure Software: How to Avoid Security Problems the Right Way
Exploiting Online Games: Cheating Massively Distributed Systems
Software Security Library Boxed Set, First Edition
PASSWORD BLOG LINKS:
WI-FI BLOG LINK:
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.