According to the Deputy Assistant Secretary of Defense for Cyber, Identity & Information Assurance (DASD CIIA) there are 119 different information security documents published by the Department of Defense (including the NIST SP 800 series). DASD CIIA helpfully published a two-foot long chart to help you make sense of it all.
There has been much commentary this past week about the limited enhancements in the upcoming PCI-DSS 2.0 framework. Martin McKeay wrote a post, How would I write a framework to replace PCI? where he talks about three key principles: (1) Everything flows from policy, (2) Keep it simple, and (3) Concentrate on results, not technologies.
Offense must inform defense – knowledge of actual attacks that have compromised systems provides an essential foundation for on which to construct effective defenses.
Work from a prioritized baseline of information security measures and controls
Most controls must be automated – there is no way for an organization to cost effectively defend itself with manual controls
Measure the effectiveness of controls – Automated techniques, where possible, should be used to measure the effectiveness of deployed controls.
Furthermore, regarding policies – you cannot start the process with policies without establishing context first. Therefore we start our processes with Visibility. You can read more about this on the Cymbel Services page.
Dark Reading posted an overview of six database breaches that occurred during the first half of 2010. All of them resulted from lack of controls covered in the SANS Twenty Critical Security Controls for Effective Cyber Defense, the backbone of Cymbel’s Approach to information security and compliance. Here is a brief explanation of each breach and the SANS Critical Controls that would have prevented or at least detected the breach more quickly:
Arkansas National Guard – 32,000 current and former Guardsmen personal information removed on an external disk drive and subsequently lost.
Critical Control #15 – Data Loss Prevention, Subcontrol #6 – encrypt hard drives
CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – copying large numbers of database records should generate an alert indicating the who, what, and when of the query.
University of Louisville – database of dialysis patients exposed due to lack of password protection of the web application.
CC#7 – Application Software Security, Subcontrol #3 – Test web applications for common security weaknesses.
CC#7 – Application Software Security, Subcontrol #6 – Software development personnel receive training on Secure Development Life Cycle.
WellPoint – 470,000 customer records exposed to unauthorized users due to insecure web application code.
CC#7 – Application Software Security, Subcontrol #1 – Deploy a Web Application Firewall
CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
Virginia Beach Department of Social Services – eight employees and supervisors fired or disciplined for abusing their database access privileges by accessing restricted information about employees, family members, and clients.
CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – establish more granular access policies
CC#15 – Data Loss Prevention, Cymbel Extension – Database Activity Monitoring and Control – anomalous user queries of the database
Florida International University – 20,000 students and faculty sensitive records exposed on an unauthorized database in an insecure computing environment.
CC#1 – Inventory of Authorized and Unauthorized Devices, Subcontrol #1 – Automated asset inventory discovery system
CC#2 – Inventory of Authorized and Unauthorized Software, Subcontrol #2 – Automated software discovery system
CC#15 – Data Loss Prevention, Cymbel Extension – Network-based User Activity Monitoring – Anomalous database queries
Lincoln National Corp.– 1.2 million customers’ portfolios exposed due to lax password management and frequent credentials sharing. Some passwords had not changed in seven years!
CC#8 – Controlled Use of Administrative Privileges, Subcontrol #3 – Change passwords at regular 30, 60, 90 day intervals.
CC#8 – Controlled Use of Administrative Privileges, Subcontrol #6 – Administrative accounts should only be used for administrative functions.
CC#8 – Controlled Use of Administrative Privileges, Subcontrol #8 – No password reuse within six months.
CC#8 – Controlled Use of Administrative Privileges, Subcontrol #11 – Two-factor authentication