13. October 2010 · Comments Off on Read ‘Em All: Pentagon’s 193 Mind-Numbing Cybersecurity Regs | Danger Room | Wired.com · Categories: SANS 20 Critical Controls · Tags:

Read ‘Em All: Pentagon’s 193 Mind-Numbing Cybersecurity Regs | Danger Room | Wired.com.

According to the Deputy Assistant Secretary of Defense for Cyber, Identity & Information Assurance (DASD CIIA) there are 119 different information security documents published by the Department of Defense (including the NIST SP 800 series). DASD CIIA helpfully published a two-foot long chart to help you make sense of it all.

Perhaps they ought to take a look at the SANS 20 Critical Security Controls for Effective Cyber Defense. The whole thing is only 58 pages.

22. August 2010 · Comments Off on A framework to replace PCI? · Categories: PCI Compliance, SANS 20 Critical Controls · Tags:

There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.

I see it differently. The key principles of the SANS Twenty Critical Security Controls for Effective Cyber Defense make more sense and provide the basis for the Cymbel Approach:

  • Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
  • Work from a prioritized baseline of information security measures and controls
  • Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
  • Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.

Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.

05. July 2010 · Comments Off on Six database breaches during H1/2010 point to needed controls · Categories: Breach, SANS 20 Critical Controls, Security-Compliance

Dark Reading posted an overview of six database breaches that occurred during the first half of 2010. All of them resulted from lack of controls covered in the SANS Twenty Critical Security Controls for Effective Cyber Defense, the backbone of Cymbel’s Approach to information security and compliance. Here is a brief explanation of each breach and the SANS Critical Controls that would have prevented or at least detected the breach more quickly:

  1. Arkansas National Guard – 32,000 current and former Guardsmen personal information removed on an external disk drive and subsequently lost.
    • Critical Control #15 – Data Loss Prevention, Subcontrol #6 – encrypt hard drives
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – copying large numbers of database records should generate an alert indicating the who, what, and when of the query.
  2. University of Louisville – database of dialysis patients exposed due to lack of password protection of the web application.
    • CC#7 – Application Software Security, Subcontrol #3 – Test web applications for common security weaknesses.
    • CC#7 – Application Software Security, Subcontrol #6 – Software development personnel receive training on Secure Development Life Cycle.
  3. WellPoint – 470,000 customer records exposed to unauthorized users due to insecure web application code.
    • CC#7 – Application Software Security, Subcontrol #1 – Deploy a Web Application Firewall
    • CC#7 – Application Software Security, Subcontrol #2 – Automated code analysis
    • CC#7 – Application Software Security, Subcontrol #3 – Automated remote web vulnerability scanner
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  4. Virginia Beach Department of Social Services – eight employees and supervisors fired or disciplined for abusing their database access privileges by accessing restricted information about employees, family members, and clients.
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – establish more granular access policies
    • CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
  5. Florida International University – 20,000 students and faculty sensitive records exposed on an unauthorized database in an insecure computing environment.
    • CC#1 – Inventory of Authorized and Unauthorized Devices, Subcontrol #1 – Automated asset inventory discovery system
    • CC#2 – Inventory of Authorized and Unauthorized Software, Subcontrol #2 – Automated software discovery system
    • CC#15 – Data Loss Prevention, Cymbel Extension – Network-based User Activity Monitoring – Anomalous database queries
  6. Lincoln National Corp.– 1.2 million customers’ portfolios exposed due to lax password management and frequent credentials sharing. Some passwords had not changed in seven years!
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #3 – Change passwords at regular 30, 60, 90 day intervals.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #6 – Administrative accounts should only be used for administrative functions.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #8 – No password reuse within six months.
    • CC#8 – Controlled Use of Administrative Privileges, Subcontrol #11 – Two-factor authentication