-
Implementing &Auditing 20 CriticalSecurity Controls.D e f e
n s i a
2 0 1 2
Rafel IvgiThis book introduces the 20 most critical
securitycontrols that any CIO must implement in his
networkenvironment in order to survive the current cyber-attacks of
this era.
-
1 | P a g e
TABLE OF CONTENTS
TABLE OF CONTENTS
.....................................................................................................................
1
Introduction to Security Controls
....................................................................................................
9
Insider versus outsider threats
.....................................................................................................
9
Insider attacks Sophistication vs. Motivation
Matrix:...........................................................
10
General Risk Threat Agents, Distribution and Motives
............................................................ 16
Conclusions
...........................................................................................................................
26
US federal Guidelines, Recommendations &
Requirements.....................................................
26
FISMA - Federal Information Security Management
Act..................................................... 26
FISMAs RISK MANAGEMENT FRAMEWORK (RMF)
................................................. 27
United States Government Configuration Baseline
(USGCB).................................................. 28
The Security Content Automation Protocol
(SCAP).................................................................
28
NIST: FIPS 200 AND SP 800-53 - IMPLEMENTING INFORMATION
SECURITYSTANDARDS AND
GUIDELINES.........................................................................................
30
The 20 critical
controls..............................................................................................................
38
Most commonly implemented controls
.....................................................................................
38
Least commonly implemented
controls.....................................................................................
39
The
Process....................................................................................................................................
39
How to create strategy for data protection and prioritize the
implementation of security ........ 39
The common inventory of Information Security Threats to an
Organization: ...................... 40
The Organizational Data Lifecycle:
......................................................................................
40
Creating a security strategy to protect the data per system:
.................................................. 41
Creating an organizational scale data security
strategy:........................................................
42
Controls based on the likelihood of security
threats..................................................................
45
Risk
Management..................................................................................................................
45
Calculating Risks, Security Metrics and Risk Measurement Tools
...................................... 45
Implement specific techniques and tools to protect data and
systems....................................... 47
Protecting Data
......................................................................................................................
47
Common DRM techniques
....................................................................................................
48
Technologies DRM is used to Protect:
..................................................................................
48
-
2 | P a g e
DRM and
documents.............................................................................................................
48
Watermarks
...........................................................................................................................
49
Laws regarding
DRM............................................................................................................
49
Digital Millennium Copyright Act
........................................................................................
49
Audit the identified and implemented controls to ensure that
they operate effectively and thatthey comply with established
standards
....................................................................................
58
Preventing physical
intrusions.......................................................................................................
59
Using Mantraps
.........................................................................................................................
59
Spinning Glass Doors
............................................................................................................
59
Turnstiles
...............................................................................................................................
60
Combining man traps with security cameras and facial
recognition......................................... 61
Using swipe based biometric authorization
devices..................................................................
63
Strong
Authentication................................................................................................................
64
Combining Fingerprint swipe with PIN
code:.......................................................................
64
Fingerprint Swipe + Magnetic Card
......................................................................................
64
Keyboard with
Security.........................................................................................................
65
Not Secure
.............................................................................................................................
65
Secure
....................................................................................................................................
65
Extremely
Secure...................................................................................................................
66
Using white noise generators to disturb eavesdropping
............................................................ 66
Low Cost Hardware
Solutions...............................................................................................
66
IPhone Applications
..................................................................................................................
68
Studio Six Digital - AudioTools -
Generator.........................................................................
68
Rabble Noise Generator
........................................................................................................
69
Features
.....................................................................................................................................
69
Distortion & Reverberation Generator
..................................................................................
70
Laptop & PC
Configurations.........................................................................................................
71
VDI............................................................................................................................................
71
Motivations for
VDI..............................................................................................................
71
Poll Results: Is VDI More Expensive Than
PC?...................................................................
72
Annual Facilities Costs PC vs. VDI
......................................................................................
72
Comparing Endpoint PC Security to VDI
Security...............................................................
73
-
3 | P a g e
VDI Security Comparison: Citrix XenDesktop vs. VMWare
View...................................... 74
Data as a service
........................................................................................................................
76
Benefits..................................................................................................................................
76
Security..................................................................................................................................
77
PC Metal Locking
.....................................................................................................................
77
Disabling Internal/External USB, DVD, CD-ROM Boot
......................................................... 78
Setting Bios Passwords
.............................................................................................................
81
User Account
Control............................................................................................................
81
Internet Explorers 9 Protected Mode
...................................................................................
84
Memory Protection
Mechanisms...............................................................................................
84
Security Cookie (Canary)
......................................................................................................
84
SafeSEH
................................................................................................................................
85
Address space layout randomization (ASLR)
.......................................................................
87
Visualization of ASLR Changes to system Memory per
Boot.............................................. 88
NX (No eXecute Hardware DEP)
......................................................................................
88
DEP and ASLR Protection Activation State:
........................................................................
90
Data Execution Prevention - DEP
.........................................................................................
92
DEP, ASLR, IE Protected Mode and UACs Impact on Security in
Windows: ................... 92
Encrypting Laptops
...................................................................................................................
93
Managed Solution Mcafee /
Symantec...............................................................................
93
Encryption Product Comparison for Apple Macintosh
......................................................... 93
Product Feature Comparison Table
.......................................................................................
94
Layering & Partition Type Support
...............................................................................................
95
Modes of
operation........................................................................................................................
96
Non-Managed - TrueCrypt
....................................................................................................
97
Setting Laptops Out of Organization Personal Firewall Policy
......................................... 99
Network Equipment
....................................................................................................................
102
Understanding Layer 2 & 3
Security.......................................................................................
102
Layer 3+ Security
....................................................................................................................
155
An example of the right way to divide VLANs to matching logical
business units............ 157
Maximizing Your Network Security with Private VLANs (PVLAN)
.................................... 158
-
4 | P a g e
Configuring PVLAN
...........................................................................................................
161
Upgrading Router/Switch Firmware
.......................................................................................
163
Buying new equipment, new security
features........................................................................
165
Secure Configuration Management
(SCM).................................................................................
167
Introduction
.............................................................................................................................
167
Maintenance
systems...........................................................................................................
167
Mapping supported
devices.....................................................................................................
170
Inventory
Scanner................................................................................................................
171
Completing the gaps with scripts
............................................................................................
176
Creating Device Groups (Security Level, Same Version)
................................................... 177
Creating
Policies......................................................................................................................
177
Attachments and
Guidelines................................................................................................
179
Auditing to verify security in
practice.....................................................................................
187
Case Studies Summary: Top 10 Mistakes - Managing Windows
Networks............................... 192
The shoemaker's son always goes
barefoot......................................................................
192
Domain Administrators on Users VLAN
............................................................................
192
Domain Administrator with a Weak Password
...................................................................
193
Domain Administrator without the Conficker Patch (MS08-067)
...................................... 194
(LM and NTLM v1) vs. (NTLM
v.2)......................................................................................
195
Pass the Hash Attack
...............................................................................................................
197
Daily logon as a Domain
Administrator..............................................................................
198
Using Domain Administrator for Services
..........................................................................
198
Managing the network with Local Administrator Accounts
............................................... 199
The NetLogon Folder
..........................................................................................................
199
LSA Secrets & Protected
Storage........................................................................................
201
Cached Logons
....................................................................................................................
205
Password
History.................................................................................................................
206
Users as Local
Administrators.............................................................................................
206
Forgetting to Harden: RestrictAnonymous=1
.....................................................................
207
Weak Passwords / No Complexity Enforcement
................................................................
207
Guess what the password was? (gma
).............................................................................
207
-
5 | P a g e
Firewalls
......................................................................................................................................
208
Understanding Firewalls (1, 2, 3, 4, 5
generations).................................................................
208
First generation: packet filters
.............................................................................................
208
Second generation: "stateful" filters
....................................................................................
209
Third generation: application
layer......................................................................................
209
Application
firewall.............................................................................................................
209
The Common Firewalls Limits
..........................................................................................
211
Implementing Application Aware Firewalls
.......................................................................
212
Securely Enabling Applications Based on Users &
Groups................................................ 214
High Performance Threat
Prevention..................................................................................
216
Checkpoint R75 Application Control
Blade.....................................................................
218
Utilizing Firewalls for Maximum Security
.............................................................................
220
Implementing a Back-Bone Application-Aware
Firewall.......................................................
220
Network Inventory & Monitoring
...............................................................................................
220
How to map your network connections?
.................................................................................
220
How to discover all network
devices?.................................................................................
221
How to discover all cross-network installed software?
........................................................... 221
NAC
............................................................................................................................................
222
The Problem: Ethernet
Network.........................................................................................
222
What is a NAC originally?
..................................................................................................
223
Todays
NAC?.....................................................................................................................
223
Why Invent Todays
NAC?.................................................................................................
223
Dynamic Solution for a Dynamic Environment
..................................................................
224
Did We EVER Manage Who Gets IP
Access?....................................................................
224
What is a
NAC?...................................................................................................................
224
Simple Explanation
.............................................................................................................
225
Goals of
NAC......................................................................................................................
225
NAC
Approaches.................................................................................................................
226
General Basic NAC Deployment
........................................................................................
228
NAC Deployment Types:
....................................................................................................
228
NAC Acceptance
Tests........................................................................................................
229
-
6 | P a g e
NAC
Vulnerabilities............................................................................................................
230
The common attack Bypassing & Killing the NAC
......................................................... 231
Open Source Solutions
........................................................................................................
232
SIEM - (Security Information Event Management)
....................................................................
238
SIEM Capabilities
...............................................................................................................
238
SIEM Architecture
..................................................................................................................
239
SIEM
Logics........................................................................................................................
242
Planning for the right amounts of data
....................................................................................
243
Introduction
.........................................................................................................................
243
SIEM Benchmarking
Process..............................................................................................
244
The Baseline Network
.........................................................................................................
246
SIEM Storage and
Analysis.................................................................................................
249
Baseline Network Device
Map............................................................................................
251
EPS Calculation Worksheet
................................................................................................
252
Common SIEM Report Types
.................................................................................................
252
Custom Reports
...................................................................................................................
253
Defining the right Rules Its all about the
rules....................................................................
253
IDS/IPS........................................................................................................................................
254
IPS Types
................................................................................................................................
255
Detection Methods
..................................................................................................................
255
Signature Catalog:
...................................................................................................................
256
Alert Monitoring:
....................................................................................................................
257
Security
Reporting:..................................................................................................................
258
Alert
Monitor:..........................................................................................................................
259
Anti-Virus:...............................................................................................................................
260
Web content protection &
filtering..............................................................................................
260
Session Hi-Jacking and Internal Network
Man-In-The-Middle..............................................
260
XSS Attack Vector
..............................................................................................................
260
The Man-In-The-Middle Attack Vector
..............................................................................
261
HTML5 and New Client-Side Risks
.......................................................................................
266
Cookie/Repository User
Tracking.......................................................................................
266
-
7 | P a g e
User TraceBack
Techniques................................................................................................
268
MAC ADDRESS Detection Of All Network Interfaces via JAVA
.................................... 269
XSS + Browser Location Services
......................................................................................
270
Use your power to protect and enforce
GPO........................................................................
273
Choosing, Implementing and Testing Web Application Firewalls
......................................... 280
Detecting Web Application Firewalls
.................................................................................
280
Bypassing Web Application Firewalls
................................................................................
283
HTTP Parameter Pollution (HPP)
.......................................................................................
283
Examples:
............................................................................................................................
284
Circumvention of default WAF filtering mechanisms
........................................................ 286
High Level Distributed Denial of Service
...............................................................................
296
Protecting DNS Servers & Detecting DNS Enumeration Attacks
.......................................... 300
Detecting Sub
Domains.......................................................................................................
303
Securing Web Servers
.................................................................................................................
304
Components of a generic web application
system...................................................................
305
Multi-tier
architecture..............................................................................................................
306
Securing Virtual Hosts Preventing Detection of Virtual Hosts
........................................ 307
Protecting against Google Hacking
.....................................................................................
308
Securing IIS 7/7.5 + Microsoft SQL Server
2008...................................................................
310
IIS Dynamic IP Restrictions Module: The mod_evasive of IIS
.......................................... 310
Hardening IIS SSL with IISCrypto Disabling Weak Ciphers
.......................................... 311
Hardening IIS 7.5 on Windows 2008 Server R2
SP1..........................................................
312
Apache
Hardening...............................................................................................................
316
Mod_Evasive Anti-D.O.S Apache
Module......................................................................
317
SELinux Optional
Hardening:..............................................................................................
318
SELinux Apache
Hardening................................................................................................
318
SELinux for other services (Experts Only)
.............................................................................
319
Enable Hardened HTTP
......................................................................................................
319
Email protection & filtering
........................................................................................................
322
Sending Spoofed Emails Bypassing SPF with a 8$
Domain............................................ 325
VPN
Security...............................................................................................................................
326
-
8 | P a g e
Identifying VPNs & Firewalls (Fingerprinting
VPNS)...........................................................
326
Offline password
cracking...................................................................................................
327
VPN IKE User Enumeration
...............................................................................................
330
VPN PPTP User
Enumeration.............................................................................................
331
VPN Clients Man-In-The-Middle Downgrade
Attacks...........................................................
332
Downgrade Attacks - IPSEC
Failure...................................................................................
332
Downgrade Attacks PPTP
................................................................................................
332
PPTP:...................................................................................................................................
333
PPTP Brute
Force................................................................................................................
333
Hacking VPNs with Aggressive Mode Enabled
..................................................................
334
Endpoint Security
........................................................................................................................
341
Penetration tests and red team exercises
.....................................................................................
341
Implementing identity & access management creating backups,
BCP & DRP .......................... 341
Security Metrics
..........................................................................................................................
342
Incident
Reponses........................................................................................................................
342
Creating an audit
.........................................................................................................................
342
Conclusions
.................................................................................................................................
343
-
9 | P a g e
Introduction to Security Controls
Insider versus outsider threats
External: external threats originate from sources outside of the
organization and itsnetwork of partners. Examples include former
employees, lone hackers, organizedcriminal groups, and government
entities. External agents also include environmentalevents such as
floods, earthquakes, and power disruptions .Typically, no trust or
privilegeis implied for external entities.
Internal: Internal threats are those originating from within the
organization. Thisencompasses company executives, employees,
independent contractors, interns, etc. ., aswell as internal
infrastructure. Insiders are trusted and privileged (some more
thanothers).
Partners aka External Insiders/Trusted Business Partners (TBP):
Partners include anythird party sharing a business relationship
with the organization. This includes suppliers,vendors, hosting
providers, outsourced IT support, etc... some level of trust and
privilegeis usually implied between business partners
External Internal Partner Incident Distribution from the Last 8
Years:
As we can see, the rise in the amount of external attacks is
rising every year, whereas the amountof internal attacks is reduced
along the years.
It is critical not to confuse the reference for internal as the
factor the malicious intension comesfrom and not the source of the
attack. For example, a remote external attacker can take over
onemachine and use it to execute internal network attacks. In this
example, the attacker is stillexternal, even though the type of
attack is an internal network attack.
-
10 | P a g e
Insider attacks Sophistication vs. Motivation Matrix:
Examining Six Cases of Insider Originated Incident:
-
11 | P a g e
Organizational Divisions Influence vs. Interest in inspected
Incidents:
-
12 | P a g e
Types of internal Agents by Percent:
-
13 | P a g e
-
14 | P a g e
-
15 | P a g e
-
16 | P a g e
General Risk Threat Agents, Distribution and Motives
Threat Categories in Practice Over time:
-
17 | P a g e
Distribution of threat agent type by stolen records:
Distribution by motive:
-
18 | P a g e
Distribution by origin organization type:
Distribution by origin geo-location:
-
19 | P a g e
Malware Functionality:
-
20 | P a g e
Hacking Methods Used:
Hacking Vectors Used:
-
21 | P a g e
Social Engineering Types Percentage:
Social Engineering Vectors Percentage:
Social Engineering Targets Percentage:
Compromised Assets Percentage:
-
22 | P a g e
-
23 | P a g e
Targeted vs. Opportunistic in All vs. Large Organizations:
Time from initial attack to data exfiltration until compromise
discovery:
-
24 | P a g e
Breach Discovery Methods:
Breached Organizations Information Security vs. PCI-DSS and
Common Standards:
-
25 | P a g e
-
26 | P a g e
Conclusions1. Attacks are aimed at all companies, large
companies are targeted with more attacks2. External attacks mainly
originates from organized crime groups3. Most attacks originate
from east Europe4. Attacks mostly involve personal or financial
gain5. The rise in the last years is in external hacking and
malware infiltration6. Hacking software were mostly Keyloggers and
backdoors7. Hacking methods were mostly password guessing and use
of stolen credentials8. Hacking Vectors were mostly remote access
and backdoors9. social engineering attacks were mostly by
pretexting & bribery on the phone and in
person of regular employees and cashiers10. Hacked machines were
mostly Point-Of-Sale and desktop workstations11. Most organizations
were attacked randomly, large ones were targeted12. It mostly took
minutes to successful penetration, minutes for data exfiltration
and months
to discover the incidents13. Most breaches were reported by law
agencies and third party fraud detection14. Most organization were
very far from being compliant to security standards
US federal Guidelines, Recommendations &Requirements
FISMA - Federal Information Security Management Act
FISMA final requirements specification is available
at:http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
FISMAs VisionTo promote the development of key security
standards and guidelines to support theimplementation of and
compliance with the Federal Information Security Management
Actincluding:
Standards for categorizing information and information systems
by mission impact Standards for minimum security requirements for
information and information systems Guidance for selecting
appropriate security controls for information systems Guidance for
assessing security controls in information systems and determining
security
control effectiveness Guidance for the security authorization of
information systems
-
27 | P a g e
Guidance for monitoring the security controls and the security
authorization ofinformation systems
FISMAs Objectives The implementation of cost-effective,
risk-based information security programs The establishment of a
level of security due diligence for federal agencies and
contractors
supporting the federal government More consistent and
cost-effective application of security controls across the
federal
information technology infrastructure More consistent,
comparable, and repeatable security control assessments A better
understanding of enterprise-wide mission risks resulting from the
operation of
information systems More complete, reliable, and trustworthy
information for authorizing officials--
facilitating more informed security authorization decisions More
secure information systems within the federal government including
the critical
infrastructure of the United States
FISMAs RISK MANAGEMENT FRAMEWORK (RMF)
-
28 | P a g e
United States Government Configuration Baseline(USGCB)
United States Government Configuration Baseline (USGCB) evolved
from the FDCC - FederalDesktop Core Configuration.
USGCB is a Federal government-wide initiative that provides
guidance to agencies on whatshould be done to improve and maintain
an effective configuration settings focusing primarily
onsecurity.
The USGCB offers the latest revisions of the most hardened
windows environment securitysettings, which have been tested to
enable sufficient usability:
Hardened and Compliant Microsoft Windows Group Policy
Collectionhttp://usgcb.nist.gov/usgcb/content/gpos/USGCB-GPOs.zip
Hardened and Compliant Microsoft Windows Security Settings
Specification
Excelhttp://usgcb.nist.gov/usgcb/documentation/USGCB-Windows-Settings.xls
The Security Content Automation Protocol (SCAP)
The Security Content Automation Protocol (SCAP) is a suite of
specifications that standardize theformat and nomenclature by which
software flaw and security configuration information
iscommunicated, both to machines and humans.
SCAP is a multi-purpose framework of specifications that support
automated configuration,vulnerability and patch checking, technical
control compliance activities, and securitymeasurement. Goals for
the development of SCAP include standardizing system
securitymanagement, promoting interoperability of security
products, and fostering the use of standardexpressions of security
content.
SCAP version 1.2 is comprised of eleven component specifications
in five categories:
1. Languages. The SCAP languages provide standard vocabularies
and conventions forexpressing security policy, technical check
mechanisms, and assessment results. TheSCAP language specifications
are Extensible Configuration Checklist Description Format(XCCDF),
Open Vulnerability and Assessment Language (OVAL), and Open
ChecklistInteractive Language (OCIL).
2. Reporting formats. The SCAP reporting formats provide the
necessary constructs toexpress collected information in
standardized formats. The SCAP reporting formatspecifications are
Asset Reporting Format (ARF) and Asset Identification. Although
-
29 | P a g e
Asset Identification is not explicitly a reporting format, SCAP
uses it as a key componentin identifying the assets that reports
relate to.
3. Enumerations. Each SCAP enumeration defines a standard
nomenclature (namingformat) and an official dictionary or list of
items expressed using that nomenclature. TheSCAP enumeration
specifications are Common Platform Enumeration (CPE),Common
Configuration Enumeration (CCE), and Common Vulnerabilities
andExposures (CVE).
4. Measurement and scoring systems. In SCAP this refers to
evaluating specificcharacteristics of a security weakness (for
example, software vulnerabilities and securityconfiguration issues)
and, based on those characteristics, generating a score that
reflectstheir relative severity. The SCAP measurement and scoring
system specifications areCommon Vulnerability Scoring System (CVSS)
and Common Configuration ScoringSystem (CCSS).
5. Integrity. An SCAP integrity specification helps to preserve
the integrity of SCAPcontent and results. Trust Model for Security
Automation Data (TMSAD) is the SCAPintegrity specification.
SCAP utilizes software flaw and security configuration standard
reference data. Thisreference data is provided by the National
Vulnerability Database (NVD), which is managedby NIST and sponsored
by the Department of Homeland Security (DHS).
The latest full specification of SCAP is available
at:http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf
The latest SCAP content for Windows 7, Windows 7 Firewall, and
Internet Explorer
8http://usgcb.nist.gov/usgcb/content/scap/USGCB-Major-Version-1.2.x.0.zip
Obtaining FISMA, NIST and SCAP compliant Security
Checklists:
-
30 | P a g e
Example download
link:http://iase.disa.mil/stigs/os/windows/u_windows_2008_r2_dc_v1r3_stig_benchmark_20120127.zip
NIST: FIPS 200 AND SP 800-53 - IMPLEMENTINGINFORMATION SECURITY
STANDARDS ANDGUIDELINES
NISTs SP 800-53 focuses on the selection and implementation of
appropriate security controlsfor an information system or a
system-of-systems. These are important tasks that can have
majorimplications on the operations and assets of an organization
as well as the welfare of individualsand the Nation.
Security controls are the management, operational, and technical
safeguards or countermeasuresemployed within an organizational
information system to protect the confidentiality, integrity,and
availability of the system and its information. There are several
important questions thatshould be answered by organizational
officials when addressing the security considerations fortheir
information systems:
-
31 | P a g e
What security controls are needed to adequately mitigate the
risk incurred by the use ofinformation and information systems in
the execution of organizational missions andbusiness functions?
Have the selected security controls been implemented or is there
a realistic plan for theirimplementation?
What is the desired or required level of assurance (i.e.,
grounds for confidence) that theselected security controls, as
implemented, are effective in their application?
The answers to these questions are not given in isolation but
rather in the context of an effectiveinformation security program
for the organization that identifies, mitigates as deemed
necessary,and monitors on an ongoing basis, risks arising from its
information and information systems.
SECURITY CONTROL ORGANIZATION AND STRUCTURE
Security controls described in this publication have a
well-defined organization and structure. Forease of use in the
security control selection and specification process, controls are
organized intoseventeen families.
Each security control family contains security controls related
to the security functionality of thefamily. A two-character
identifier is assigned to uniquely identify each security control
family.In addition, there are three general classes of security
controls: management, operational, andtechnical.
Table 1-1 summarizes the classes and families in the security
control catalog and the associatedsecurity control family
identifiers:
-
32 | P a g e
NIST 800-53 Risk Management Framework and the information
security standardsand guidance documents associated with each
activity:
-
33 | P a g e
NIST 800-53 Security Control Selection Process:
-
34 | P a g e
NIST 800-53 Security Control Baselines:
-
35 | P a g e
NIST 800-53 Security Control Priority & Baseline Allocation
Examples:
-
36 | P a g e
NIST 800-53 Mapping Specified Security Controls to ISO
27001:
NIST 800-53 Controls Table is available
at:http://csrc.nist.gov/groups/SMA/fasp/documents/security_controls/SP800-53Table.xls
Security Test and Evaluation (ST&E) Plan Template is
available
at:http://csrc.nist.gov/groups/SMA/fasp/documents/security_controls/App_CA_STE_Plan_Template_030408.doc
-
37 | P a g e
-
38 | P a g e
The 20 critical controls1. Live Monitoring and Real-Time
Alerting of security events and anomalies (SIEM
integrated into AD, IPS, Automatic Inventory and etc)2. Data
Recovery Capability3. Effective network segmentation and
compartmentalization of management and
administration networks4. Secure Configurations for Network
Devices such as Firewalls, Routers, and Switches5. Applying
suitable, different reoccurring automatic update/patching policies
for all
software on all asset types (endpoint, server, laptop, mission
critical, internet exposed)6. Revoking and limiting local
administrator privileges in all systems, especially endpoints7.
Boundary Defense8. Policy Hardening Utilizing Group Policy For
Security9. Implementation of an IDM (Identity Management) & SSO
for all users, combined with a
strong authentication (two-factor).10. Implementing a Back-Bone
Application-Aware Firewall (Limitation and Control of
Network Ports, Protocols, and Services by User * MAC * IP)11.
Inventory of Authorized and Unauthorized Devices12. Data Loss
Prevention13. Security Skills Assessment and Appropriate Training
to Fill Gaps14. An incident response policy to minimize all
potential risks during a breach15. Inventory of Authorized and
Unauthorized Software16. Device Control Management MDM (Mobile
Device Management), Wireless/Cellular
Modems, Mobile Storage, Digital Cameras17. Secure Configurations
for Hardware and Software on Laptops, Workstations, and Servers18.
Malware Defenses (AV, HIPS)19. Controlled Access Based on the Need
to Know20. Penetration Tests and Red Team Exercises
Most commonly implemented controls
Most commonly implemented controls1. Firewall on External
Network (Internet)2. Endpoint Security (Anti-Virus + Basic Device
Control)3. Boundary Defense4. Data Recovery Capability5. Malware
Defenses6. Penetration Tests and Red Team Exercises7. Continuous
Vulnerability Assessment and Remediation8. Controlled Use of
Administrative Network Privileges9. Network Account Monitoring and
Control10. Controlled Access Based on Need to Know
-
39 | P a g e
Least commonly implemented controls1. Protect equipment from
unauthorized access2. Secure offices and rooms3. Secure the
physical perimeter of the organizations buildings (internally)4.
Track the location of removable computer media5. Manage visitor
access to secure areas within the buildings6. Measure security
compliance at a third-party facility7. Restrict access to the
facility from the delivery or loading area8. Protect unattended
equipment9. Apply digital signatures to protect the authenticity
and integrity of electronic information10. Detect unauthorized
access to physical facilities
The Process
How to create strategy for data protection andprioritize the
implementation of security
-
40 | P a g e
The common inventory of Information Security Threats to
anOrganization:
The Organizational Data Lifecycle:
-
41 | P a g e
Creating a security strategy to protect the data per system:
1. Defining the organizational approach to securitya.
Organizations Risk Appetiteb. Current/Future Insurance coverage
plans
2. Mapping all the organizational data systemsa. Inspecting
Documentationsb. Requesting Information from Team Leaders and
System Mangersc. Network Scanning Mapping Forgotten systems
3. Inspecting the regulations the organization must comply toa.
Government Regulations (DoD, CC, FIPS, NIST SP 800-37,NIST
800-53(A),
FISMA)b. Industry Standards and Regulations (ISO17799/BS7799,
ITIL/ISO-IEC 20000
and COBIT)c. International Regulations (ISO 27001, PCI-DSS, SOX,
COSO, HIPPA , BITS
(banking industry standards))
4. Assigning numerical values to systems data by importance
DataAcquisition/
Creation
DataStorage
Data UseData
Sharing/Modifying
DataDestructing
-
42 | P a g e
a. System/Asset quantified value by regulation requirements (by
what theregulation considers sensitive data, i.e. customer names,
address, email DB)
b. Identifying The Critical Data Of Each Data System -
System/Asset quantifiedvalue by systems customer availability
requirements (i.e. customer,minor/major business partner, internal
use, backup/DR)
i. System/Asset quantified value by data sensitivity defined by
SystemManager/Data Owner together with the CISO
c. Identifying The Data Usage, accessibility and Usability
Requirements Of EachData types of each System
5. Analyzing system threats and attack vectors to the dataa. Is
the data encrypted? Where is the key located? Who has access to the
key?b. Is the system under real-time security monitoring?c. What
are the availability requirements of the system?d. Which networks
the system is exposed to?e. Does the system get security updates
automatically?f. Which services does the system listen on?g. How
many people have privileged access to the system?h. Is the system
integrated with a strong authentication mechanism?
6. Prioritizing work process and defining Data Protection
Requirements by data value andregulation requirements
a. Data Protection Requirements of Most enforced regulationsb.
Data Protection Requirements of Most business enabling
regulationsc. Aligning to the managements organizational approach
to securityd. Researching remediation solutions and determining
their TCO for 5-10 years
7. Confronting the results with managementa. Setting up
recurring meetings with management regarding information
security
(Yearly Plan, Strategic Plan, Current & Emerging Threats,
Discovered Incidents)b. Presenting the calculated risk (by ALE,
ARO)c. Presenting the potential set of remediation solutions vs.
costs requiredd. Establishing decisions per threat or/and per
systeme. Requesting corrections to the current budget
Creating an organizational scale data security strategy:
1. Defining the organizational approach to securitya.
Organizations Risk Appetite and Data Leakage approachb.
Current/Future Insurance coverage plans
-
43 | P a g e
2. Mapping the major organizational data systems
3. Inspecting the regulations the organization must comply toa.
Government Regulations (DoD, CC, FIPS, NIST SP 800-37,NIST
800-53(A),
FISMA)b. Industry Standards and Regulations (ISO17799/BS7799,
ITIL/ISO-IEC 20000
and COBIT)c. International Regulations (ISO 27001, PCI-DSS, SOX,
COSO, HIPPA , BITS
(banking industry standards))
4. Assigning numerical values to major systems data by
importancea. System/Asset quantified value by regulation
requirements (by what the
regulation considers sensitive data, i.e. customer names,
address, email DB)b. Identifying The Critical Data Of Each Data
System - System/Asset quantified
value by systems customer availability requirements (i.e.
customer,minor/major business partner, internal use, backup/DR)
-
44 | P a g e
i. System/Asset quantified value by data sensitivity defined by
SystemManager/Data Owner together with the CISO
5. Identifying and Detecting the highest common denominator in
data attributes:a. Highest intersecting Data Accessibility (Setup
Complexity, Training Complexity,
Access Complexity, Client/Clientless, OS, Networks, Entities,
Formats, TimeFrames, Access Level)
b. Highest intersecting Data Sharing requirements (Setup
Complexity, TrainingComplexity, Sharing Complexity, Networks,
Entities, Formats)
c. Highest intersecting Data types of each System (DOC, XLS,
PPT, PDF,TXT,Data in Databases, i.e. Credit Card Information)
d. Most common size of a single data unit/file
6. Analyzing system threats and attack vectors to the dataa. Is
the data encrypted? Where is the key located? Who has access to the
key?b. How is the data used? Over which networks?c. Where is the
data stored permanently? Temporarily? (Clients Outlook?
Laptops?
Are laptops encrypted?)d. How is the data shared? With whom?e.
What types/formats is the data used with? Modifiable/Writable (DOC,
XLS) or
Read Only (PDF, XPS)?f. Does the data contain identifying
information? (Authors, Watermarks, Digital
Signature)g. Does each single copy of the data is generated and
marked for each specific
entity it is shared with?h. Are the major systems providing the
data under real-time security monitoring?i. What are the
availability requirements of the data/system?j. How many people
have privileged access to the data/system?k. Is the data access
system integrated with a strong authentication mechanism?l. Is the
data protected with a DRM (Digital Rights Management) solution?m.
Is the data protected with a DLP (Data Leakage Prevention)
solution?n. What are the possible data exfiltration vectors for the
specific data types and
existing environments? (Internet , Cellular Internet, Wireless,
Bluetooth, MassStorage (DOK, Camera, USB HDD), CD, DVD, Screen
Capture, Physical ScreenPhoto)
7. Prioritizing work process and defining Data Protection
Requirements by data value andregulation requirements
a. Data Protection Requirements of Most enforced regulationsb.
Data Protection Requirements of Most business enabling
regulationsc. Aligning to the managements organizational approach
to securityd. Considering the major usability requirements
collected from data owners
-
45 | P a g e
e. Researching remediation solutions and determining their TCO
for 5-10 years
8. Operating the managementa. Setting up recurring meetings with
management regarding information security
data protection strategy (Yearly Plan, Strategic Plan, Current
& EmergingThreats, Discovered Data Security Incidents)
b. Presenting the overall cross-organizational calculated risk
(by ALE, ARO)c. Presenting the potential set of
cross-organizational remediation solutions vs.
costs requiredd. Establishing decisions per threat or/and per
major data systeme. Requesting corrections to the current
budget
Controls based on the likelihood of security threats
Risk Management
Calculating Risks, Security Metrics and Risk
MeasurementTools
1. BITS Key Risk Measurement Tool
-
46 | P a g e
-
47 | P a g e
Implement specific techniques and tools to protect dataand
systems
Protecting Data
DRM - Digital Rights Management
Digital rights management (DRM) is a class of access control
technologies that are used by hardwaremanufacturers, publishers,
copyright holders and individuals with the intent to limit the use
of digital
content and devices after sale.
DRM is any technology that inhibits uses of digital content that
are not desired or intended by the content
provider. Copy protections which can be circumvented without
modifying the file or device, such as serial
numbers or key files are not generally considered to be DRM.
DRM also includes specific instances of digital works or
devices. Companies such
as Amazon, AOL, Apple Inc., the BBC, Microsoft and Sony use
digital rights management protections.
Works can become permanently inaccessible if the DRM scheme
changes or if the service is
discontinued. Proponents argue that digital locks should be
considered necessary to prevent "intellectual
property" from being copied freely, just as physical locks are
needed to prevent personal property from
being stolen.
-
48 | P a g e
Digital locks placed in accordance with DRM policies can also
restrict users from doing something
perfectly legal, such as making backup copies of CDs or DVDs,
lending materials out through a library,
accessing works in the public domain, or using copyrighted
materials for research and education under fair
use laws.
Common DRM techniques1. Restrictive Licensing Agreements: The
access to digital materials, copyright and public domain
are controlled. Some restrictive licenses are imposed on
consumers as a condition of entering a
website or when downloading software.
2. Encryption
3. Scrambling of expressive material
4. Embedding of a tag (digital watermarking): This technology is
designed to control access and
reproduction of online information. This includes backup copies
for personal use.
Technologies DRM is used to Protect:1. DRM and film2. DRM and
television3. DRM and music4. Audio CDs5. Internet music6. Computer
games7. E-books
DRM and documents
Enterprise digital rights management (E-DRM or ERM) is the
application of DRM technology to thecontrol of access to corporate
documents such as Microsoft Word, PDF, and AutoCAD files,
emails,
and intranet web pages rather than to the control of consumer
media.
E-DRM, now more commonly referenced as IRM (Information Rights
Management), is generally intended
to prevent the unauthorized use (such as industrial or corporate
espionage or inadvertent release) of
proprietary documents. IRM typically integrates with content
management system software.
DRM has been used by organizations such as the British Library
in its secure electronic delivery service to
permit worldwide access to substantial numbers of rare (and in
many cases unique) documents which, for
legal reasons, were previously only available to authorized
individuals actually visiting the Library's
document Centre at Boston Spa in England.
-
49 | P a g e
Watermarks
Digital watermarks are features of media that are added during
production or distribution. Digital
watermarks involve data that is arguably steganographically
embedded within the audio or video data.
Watermarks can be used for different purposes that may
include:
recording the copyright owner
recording the distributor
recording the distribution chain
identifying the purchaser of the music
Watermarks are not complete DRM mechanisms in their own right,
but are used as part of a system for
Digital Rights Management, such as helping provide prosecution
evidence for purely legal avenues of
rights management, rather than direct technological
restriction.
Laws regarding DRM
Digital Millennium Copyright ActIn 1998 the Digital Millennium
Copyright Act (DMCA) was passed in the United States to impose
criminalpenalties on those who make available technologies whose
primary purpose and function is to circumventcontent protection
technologies.
IRM Information Rights Management
Information Rights Management (IRM) is a term that applies to a
technology which protects sensitiveinformation from unauthorized
access. It is sometimes referred to as (E-DRM) or Enterprise
Digital Rights
Management. This can cause confusion because Digital Rights
Management (DRM) technologies are
typically associated with business to consumer systems designed
to protect rich media such as music and
video. IRM is a technology which allows for information (mostly
in the form of documents) to be remotecontrolled. This means that
information and its control can now be separately created, viewed,
edited &distributed. Some existing IRM systems have been
ongoing development of DRM style systems; however a
true IRM system will have some important differences and is
typically used to protect information in a
business to business model, such as financial data, intellectual
property and executive communications.
IRM currently applies mainly to documents and emails.
IRM technologies allow for several levels of security.
Functionality offered by IRM usually comprises:
Industry standard encryption of the information.
Strong in use protection, such as controlling copy & paste,
preventing screen shots and printing.
A rights model/policy which allows for easy mapping of business
classifications to information.
Offline use allowing for users to create/access IRM sealed
documents without needing network access
for certain periods of time.
-
50 | P a g e
Full auditing of both access to documents as well as changes to
the rights/policy by business users
An example of IRM in use would be to secure a sensitive
engineering document being distributed in an
environment where the document's recipients could not
necessarily be trusted. Alternatively, an e-mail
could be secured with IRM, so if it accidentally is forwarded to
an untrusted party, only authorized users
would gain access. Note that a well-designed IRM system will not
limit the ability for information to be
shared; rather rules are only enforced when people attempt to
gain access. This is important as often people
share sensitive information with users who should legitimately
have access but don't, and the technology
needs to facilitate the easy request of access back to the
business owners.
IRM is far more secure than shared secret passwords; key
management is used to protect the information
whilst it is at rest on a hard disk, network drive or other
storage device. Crucially IRM continues to protect
and control access to the document when it is in use.
Functionality such as preventing screen shots,
disallowing the copying of data from the secure document to an
insecure environment and guarding the
information from programmatic attack, are key elements of an
effective IRM solution.
Seclore Technology from India has made very promising and
authentic tools for IRM. Zafesoft Inc., a
Silicon Valley (California) company has created a solution for
securing documents and the information in
them as well as images (including medical images).
Information Rights Management is also known by the following
names:
Enterprise Rights Management
Enterprise DRM or Enterprise Digital Rights Management
Document Rights Management
Intelligent Rights Management
Common IRM Solutions:
1. Covertix SmartCipher - Information Rights Management
solutions2. Seclore Technology - Information Rights Management
solutions3. Zafesoft Inc. - Information Security and Rights
Management solutions4. Microsoft - Rights Management solutions5.
Secure Islands - Rights Management solutions
-
51 | P a g e
Product Example: Secure Islands IQPROTECTOR FILE PROTECTION
System Architecture:
Feature Set:
Feature Benefit
Automatic classification at content creation
100% content identification accuracy, simple deployment,
no repository scanning required
Automatic protection based on central policy
Enterprise has complete control over what, why, when and
how to protect data, completely transparent to the end user
Content marking classification-driven
addition of visual labels to documents
Increase security awareness by visualizing document
classification, raise both compliance and user
accountability
Scanner Mode Server
Classification and encryption of pre-existing content on
file servers, NAS, SAN, and ECM repositories
Optional user classification enabling the Increased user
accountability, added classification
-
52 | P a g e
Feature Benefit
user to decide the type of classification
required for a given document or mail
accuracy
Extends AD-RMS file format support (multi
format)
Protection for additional file formats, without application
integration
Protection of client- or application-based
content
Applies RMS protection on files and data exported from
applications without integration
Metadata labeling for DLP, FCI, eDiscovery,
archiving
Lowers the burden on DLP by accurately identifying,
classifying and tagging sensitive enterprise data early in
the data lifecycle to allow effective DLP enforcement
Protect documents upon access Apply AD-RMS protection on
pre-existing content
Extendable to other encryption schemes
Conversion of AD-RMS protected data to other protection
schemes
Audit and report on every action on files
everywhere
Monitoring and audit mechanisms operate throughout the
information lifecycle
-
53 | P a g e
Management Panel:
DLP - Data Leakage Prevention
Data Loss Prevention (DLP) is a computer security term referring
to systems that enable organizations toreduce the corporate risk of
the unintentional disclosure of confidential information. These
system identify,monitor, and protect confidential data while in use
(e.g. endpoint actions), in motion (e.g. networkactions), and at
rest (e.g. data storage) through deep content inspection,
contextual security analysis oftransaction (attributes of
originator, data object, medium, timing, recipient/destination and
so on) and witha centralized management framework.
Vendors Semantics:
1. Data Leak Prevention2. Information Leak Detection and
Prevention (ILDP)3. Information Leak Prevention (ILP)4. Content
Monitoring and Filtering (CMF)5. Information Protection and Control
(IPC)6. Extrusion Prevention System7. Identification &
Prevention of Data Exfiltration
Deployment and Coverage
Network DLP (aka Data in Motion )
-
54 | P a g e
Typically a software or hardware solution that is installed at
network egress points near the
perimeter. It analyzes network traffic to detect sensitive data
that is being sent in violation of
information security policies.
Storage DLP (aka Data at Rest )
Data-loss prevention of stored data typically involves a Data
Security Software installed on your
computer to prevent unauthorized access to the data stored on
your hard drive and USB/External
drives.
Endpoint DLP (aka Data in Use )
Such systems run on end-user workstations or servers in the
organization. Like network-based
systems, endpoint-based can address internal as well as external
communications, and can
therefore be used to control information flow between groups or
types of users (e.g. 'Chinese
walls'). They can also control email and Instant Messaging
communications before they are stored
in the corporate archive, such that a blocked communication
(i.e., one that was never sent, and
therefore not subject to retention rules) will not be identified
in a subsequent legal discovery
situation.
Endpoint systems have the advantage that they can monitor and
control access to physical devices
(such as mobile devices with data storage capabilities) and in
some cases can access information
before it has been encrypted.
Some endpoint-based systems can also provide application
controls to block attempted
transmissions of confidential information, and provide immediate
feedback to the user. They have
the disadvantage that they need to be installed on every
workstation in the network, cannot be used
on mobile devices (e.g., cell phones and PDAs) or where they
cannot be practically installed (for
example on a workstation in an internet caf).
-
55 | P a g e
Open Source Solutions:
OpenDLP
-
56 | P a g e
-
57 | P a g e
MyDLP Community Edition
-
58 | P a g e
Audit the identified and implemented controls to ensurethat they
operate effectively and that they comply withestablished
standards
1. Feature and Acceptance Testing1.1. Verify the features
designed in the controls work properly.
For example, verify that only the specifically defined websites
are protected by the WebApplication Firewalls and that the ones
which are not compatible are not harmed.
2. Recurring Vulnerability Assessment2.1. Verify Patching
Systems work properly in practice2.2. Verify passwords match
complexity requirements in practice2.3. Recurring verification of
personnel alertness to security events
3. Penetration Testing3.1. Verify logs quality in practice3.2.
Verify Real-Time Protection/Response Systems work properly in
practice3.3. Verify Real-Time/Scheduled Alerting mechanisms work
properly in practice
-
59 | P a g e
Preventing physical intrusions
Using MantrapsA man trap aka interlock aka air locks is a small
space having two sets of interlocking doors such thatthe first set
of doors must close before the second set opens. Identification may
be required for each door,
sometimes even possibly different measures for each door. For
example, a key may open the first door, but
a personal identification number entered on a number pad opens
the second.
Other methods of opening doors include proximity cards or
biometric devices such as fingerprint readers
or iris recognition scans. Metal detectors are often built in in
order to prevent entrance of people carrying
weapons. Such use is particularly frequent in banks and jewelry
shops.
Mantraps may be configured so that when an alarm is activated,
all doors lock and trap the suspect between
the doors in the "dead space" or lock just one door to deny
access to a secure space such as a data center or
research lab.
An Effective man trap will only physically contain one person at
a time in order to avoid Tail-Gatingor Piggy-Backing.
Spinning Glass Doors
-
60 | P a g e
Turnstiles
-
61 | P a g e
Combining man traps with security cameras and
facialrecognitionIt is very effective to combine a man trap with a
close camera, this results in a time stamped close-up facepicture
of everyone who entered and left the secure area.
In addition, it is extremely effective to combine the man traps
camera results with facial recognitionsolutions in order get a full
protection and detection security system.
-
62 | P a g e
-
63 | P a g e
Using swipe based biometric authorization devices
Not SecureWhen you use a fingerprint biometrics device, after
its scans your fingerprint, the fingerprintstays on the device, can
be re-used and also replicated and stolen.
SecureFingerprint Swipe-Scanners, are secure, since you physical
delete/run-over your ownfingerprint when you swipe your finger.
Extremely Secure Full Hand SwipeFull Hand Fingerprint is very
hard to obtain and extremely challenging to spoof. Notice that
thissolution is also swipe based and doesnt risk the users
fingerprint.
-
64 | P a g e
Strong Authentication
Combining Fingerprint swipe with PIN code:
Fingerprint Swipe + Magnetic Card
Not Secure
-
65 | P a g e
Secure
Keyboard with Security
Not Secure
Secure
-
66 | P a g e
Extremely Secure
Using white noise generators to disturb eavesdropping
Low Cost Hardware Solutions1. Make other noise coming into an
area less distracting or2. To reduce the chance of overhearing
adjacent conversations or3. To reduce the chance of having your
conversation overheard by someone else.4. to aid in alleviating the
effects of tinnitus by providing a low-level broad-band noise to
helpachieve the "habituation" of tinnitus.
-
67 | P a g e
Common Technical Specifications: Weight: 12 oz. (340.2 g) Audio
Frequency Range: 300Hz - 3KHz Output Sound Level: MAX 92 dB @ 4 ft.
Power: two 9 volt alkaline batteries or AC transformer (120 or 240
VAC)
-
68 | P a g e
IPhone Applications
Studio Six Digital - AudioTools - Generator
Sine Wave1000Hz 6.85dBu10k 6.87dBu31Hz 6.75dBu
Pink NoiseFull bandwidth -20.0dBuOctave band 1k -31.0dBuoctave
band 125 -31.0dBuOctave band 31 -31.0dBuOctave band 16k
-31.0dBu
White Noise
Full band -28.9dBuOctave bands vary
Square Wave
63Hz 3.43dBu1000Hz 3.44dBu
-
69 | P a g e
Rabble Noise Generator
FeaturesWas designed by TSCM/counter-surveillance professionals
and will protect you against all types of
eavesdropping when used in correspondence with the
recommendations.
Employs a new approach to the problem of conversation
protection. Uses a new, speech-like noise
which, in the most of cases, has proven to be more efficient
when compared to white noise.
The noise has been 'compiled' using real human conversations and
is similar to the noise of a 'rabble'
in busy public places. This type of noise is the most effective
when creating interference to voice
recorders and listening devices, especially when the size of the
protective device is critical.
Kinds of listening devices rendered useless by the new Rabbler:
Voice recorders Radio microphones GSM/3G bugs Body-carried video
cameras - watches, ties, etc. (jamming of acoustics) Wired
microphones Any other type of audio surveillance
The Rabbler creates additional barrier interference which masks
your speech. It is when a certain
noise level is reached that listening devices will record or
transmit information, it is extremely
difficult, or impossible, to extract the speech component. Since
the generator creates a 'speech-like'
noise, the cleaning of this sound is extremely difficult or most
likely impossible, if the level of noise is
sufficient.
-
70 | P a g e
Distortion & Reverberation Generator
DRUID D-06
Top-of-the-line protection system. This is the only device in
the world which can give 100%
protection to your conversations against interception or
recording. The DRUID D-06 creates powerful
interference against all kinds of listening devices! Even if a
person is standing next to the participants,
they will not be able to understand what is being said. The
headsets allow the users to hear each other
clearly while the DRUID's central unit produces interference.
Powered from 220V or the internal
rechargeable battery with a resource time of 36 hours. The unit
is supplied in a carry case.
Not all listening devices can be detected by existing methods.
The DRUID D-06 is a unique system
for providing protection of human's speech.
Remotely controlled radio microphones, wired microphones,
passive resonators, miniature voice
recorders practically all these devices cannot be detected by
conventional methods. Even a modern
cellular phone may contain a digital voice recorder; this means
that any phone lying on the desktop
could be used by an adversary to record a conversation.
The generated audio interference cannot be cleared by any
noise-clearance methods. At the same time
the produced interference does not create any inconvenience to
the participants of the negotiation
thanks to the special headsets. The DRUID headset allows users
to hear each other with crystal clear
quality.
-
71 | P a g e
Laptop & PC Configurations
VDI
Motivations for VDI
-
72 | P a g e
Poll Results: Is VDI More Expensive Than PC?
Annual Facilities Costs PC vs. VDI
-
73 | P a g e
Comparing Endpoint PC Security to VDI SecurityParameter PC VDI
Thin Client/Chip PC
Allows working locally ifnetwork is down
Easy to maintain security
Hardware RenewalComplete Hardware should berenewed every (~800$)
5 years
Complete Hardware should berenewed every (~400$) 8+
yearsPrivilege Escalation Allows Taking Over Endpoint Taking
Over An Entire Server
Full Compatibility withExternal devices, Smart CardsPhysical
Security Is NOT A
RiskNo Hard Disk Encryption Is
RequiredEndpoint Backup & Roaming
Profiles is not a mustNot Vulnerable to Boot Kits
and MBR/Bios Viruses
-
74 | P a g e
VDI Security Comparison:Citrix XenDesktop vs. VMWare View
Security Feature VMWare View 4.6 Citrix XenDesktop 5
Client AuthenticationMethods
Active DirectoryKerberos Realm in
mixed AD/MITKerberos environments
RSA SecurIDX.509 Certificate
Active DirectoryKerberos Realm in mixed AD/MIT Kerberos
environments
RSA SecurIDX.509 Certificate
Support for 2-factorauthentication?
Yes Yes
Controlredirection/mapping oflocal host hard drives
Yes Yes
Control Host Clipboardredirection for text
copy/pasteYes Yes
Control Host Clipboardredirection for files and
folders?
No, files and folderscannot be copied
between host and viewusing PCoIP
Yes
Full Screen only modewith no toggle to local
host OS
Yes, but only withhardware thin client
Yes, but only with type 1 deployment
Single sign-on support Yes Yes
Granular USBredirection control
No, just basic usbredirect on or off
Yes, very granular criteria including: VID, PID, REL,Class,
SubClass, Prot tags in the USB device descriptor
field
Alow Read-only accessto USB Hard drives
No, but you can useGPO MSFT policies to
accomplish this
Yes, very granular criteria including: VID, PID, REL,Class,
SubClass, Prot tags in the USB device descriptor
fieldCommunication Protocol
UsedRDP or PCoIP ICA
Are communicationsencrypted natively
Yes, if using PCoIP toa Windows 2008
security server. AES128-bit SSL
Yes, if connecting to a Citrix security gateway. AES 128-bit
SSL
VDI communications canrun over a 3rd party
SSLVPN connection?Yes Yes
VDI can USB sync iOSdevices like iPhone and
iPadYes Yes
Ability to run VDI clientin offline or local mode
Yes, as a type 2hypervisor (i.e.
application on anexisting OS)
Yes, as a type 1 bare metal hypervisor (i.e. boot directlyinto
VDI client) The install of XenClient offline mode
requires you to destroy or overwrite your current host OS.
Italso requires hardware virtualization found only on Intel
-
75 | P a g e
vPro family of CPU's. The benefit is that it has
betterperformance because it is access the hardware directly
and
not through a guest OS like a type 2 hypervisor. Thepotential
drawback is that it dedicates that host to being justa XenClient
unless you enable dual booting. In some casesthis is actually a
plus since it solves the security issues that
come with having a guest OS that VDI runs on top off.
Ability to manage offlineVDI clients
Yes, you can also forcethe user to periodicallycheck-in their
VDI so itis properly backed up
and updated.
No, but automated backups are performed by the client
Ability to encrypt VDIfiles and folders on the
guest OSYes
Yes, called XenVault. Uses up to 256-bit AES encryption.Can be
wiped centrally/remotely if needed
Lockout VDI ifcommunication to serveris lost for X time
period?
Yes Unknown
Microsoft ActiveDirectory is required forpolicy settings of
VDI?
No Yes
Control mapping to hostdrives
Yes, RDP only Yes
Built-in bandwidthprotocol management
Yes, using PCoIP Yes, Limit bandwidth per session
Restrict access based ontime/location/device type
No Yes
Restrict VDIfunctionality based on
time/location/device typeNo Yes
IPv6 Support No NoFIPS 140-2 Compliant Yes Yes
VDI Security BestPractices Whitepaper
PublishedYes Yes
Embedded firewall atVDI headend
Yes, vShield Yes, Citrix Secure Gateway
VDI Anti-virus offload tovirtual appliance
Yes, vShield Endpointrequired. Removesrequirement for AVclients
on each VDI
host.
Yes, using integration with Mcafee MOVE A/V. Removesrequirement
for AV clients on each VDI host
Supports multiple ADforests and multiple AD
domainsYes Yes
As you can see, both vendors have compelling offers with their
own strengths and weaknesses. Idon't see a huge security advantage
of one over the other. Instead, your choice will depend onyour
specific requirements more than anything else. Technology changes
rapidly, especially inthe VDI space, so be sure to validate what I
have here with other sources or the vendors
-
76 | P a g e
themselves. If you see something that has become no longer true
please post a comment and I willupdate this posting. If you know of
some security comparisons I should have included please postthem as
well.
Data as a serviceData as a service, or DaaS, is a cousin of
software as a service. Like all members of the "as a Service"(aaS)
family, DaaS is based on the concept that the product, data in this
case, can be provided on demand to
the user regardless of geographic or organizational separation
of provider and consumer. Additionally, the
emergence of service-oriented architecture (SOA) has rendered
the actual platform on which the data
resides also irrelevant. This development has enabled the recent
emergence of the relatively new concept of
DaaS.
Traditionally, most enterprises have used data stored in a
self-contained repository, for which software was
specifically developed to access and present the data in a
human-readable form. One result of this paradigm
is the bundling of both the data and the software needed to
interpret it into a single package, sold as a
consumer product. As the number of bundled software/data
packages proliferated and required interaction
among one another, another layer of interface was required.
These interfaces, collectively known
as enterprise application integration (EAI), often tended to
encourage vendor lock-in, as it is generally easy
to integrate applications that are built upon the same
foundation technology.
The result of the combined software/data consumer package and
required EAI middleware has been an
increased amount of software for organizations to manage and
maintain, simply for the use of particular
data. In addition to routine maintenance costs, a cascading
amount of software updates are required as the
format of the data changes. The existence of this situation
contributes to the attractiveness of DaaS to data
consumers because it allows for the separation of data cost and
usage from that of a specific software or
platform.
BenefitsData as a Service brings the notion that data quality
can happen in a centralized place, cleansing and
enriching data and offering it to different systems,
applications or users, irrespective of where they were in
the organization or on the network. As such, Data as Service
solutions provide the following advantages:
Agility Customers can move quickly due to the simplicity of the
data access and the fact that theydont need extensive knowledge of
the underlying data. If customers require a slightly different
datastructure or has location specific requirements, the
implementation is easy because the changes are
minimal.
Cost-effectiveness Providers can build the base with the data
experts and outsource the presentationlayer, which makes for very
cost effective user interfaces and makes change requests at the
presentation layer much more feasible.
Data quality Access to the data is controlled through the data
services, which tends to improve dataquality because there is a
single point for updates. Once those services are tested
thoroughly, they only
need to be regression tested if they remain unchanged for the
next deployment.
-
77 | P a g e
SecurityLike any other cloud based service there are several
main issues:
1. Network downtime vendor or client downtime for maintenance,
disaster or Denial ofService attacks completely deny the ability of
the users to work
2. Data Security Data is physically stored on the vendors remote
servers and may read,modified and deleted by: mistake, bribery,
extortion and etc
3. Data Security Over the internet - All the information is
transferred on the wire andphysically leaves the organizations
computers. This enables countries and enemies to record,decrypt
traffic and obtain secret information
PC Metal Locking
-
78 | P a g e
Disabling Internal/External USB, DVD, CD-ROM Boot
Organizations should implement an intensive Endpoint Security
Solution for Device Control. Thesolution must cover the following
aspects:
1. Protected Physical
Interfaces1.1.1.USB1.1.2.FireWire1.1.3.PCMCIA1.1.4.Secure Digital
(SD)1.1.5.Parallel1.1.6.Serial1.1.7.Modem1.1.8.Internal Ports
2. Protected Wireless
Interfaces2.1.1.Wi-Fi2.1.2.Bluetooth2.1.3.Infra-Red
(IrDA)2.1.4.Protected Storage Devices
3. External Hard Drives3.1.1.Removable Storage Devices3.1.2.CD /
DVD Drives3.1.3.Floppy Drives3.1.4.Tape Drives
-
79 | P a g e
Security Policy - Flexible Strategy, Simple
ImplementationDifferent organizations have different needs and
different corporate cultures. Thats why devicecontrol solutions
allows administrators to first choose their endpoint security
strategy, and thenimplement it in line with their unique
organizational needs.
Device control solutions creates forensic logs of all data
moving in and out of the organization,allowing administrators to
create policies that dont necessarily restrict device usage, but
allowfull visibility of device activity and content traffic.
Through a flexible management console,device control solutions
allow administrators to create comprehensive and granular
endpointsecurity policies.
Device control solutions - Features and Benefits Granular
control - detects and restricts devices by device type, device
model or unique
serial number. Data awareness - control the transfer of files
both to and from external storage devices
according to the file types. Removable media encryption -
encrypts corporate data in motion on removable storage
devices, external hard drives, and CD/DVDs. Track offline usage
of removable storage - tracks file transfers to/from encrypted
devices
on non-corporate computers (offline). Built-in compliance
policies - includes detailed configurations for achieving
security
policies that are mapped to specific regulatory compliance
standards such as PCI, HIPAAand SOX.
Granular Wi-Fi control - by MAC address, SSID, or the security
level of the networkAnti bridging - prevents hybrid network
bridging by blocking Wi-Fi, Bluetooth, Modemsor IrDA while the PC
is connected to the wired corporate LAN.
Anti-hardware Keylogger - blocks or detects both USB and PS/2
hardware Keyloggers. U3 and auto run control - turns U3 USB drives
into regular USB drives while attached to
organization endpoints, protecting against auto-launch programs
by blocking auto run. Flexible and intuitive management -
automatically synchronizes with Microsoft Active Directory and
Novell eDirectory.
If the organization decides to allow USB device usage such as
USB Disk-On-Keys and USBStorage devices, it should use secure
solutions. Secure Disk-On-Key solutions are:
4. Encrypted and: Requires a password Requires a certificate and
a password Requires a biometric fingerprint Requires a certificate
and a biometric fingerprint
5. Device has a physical switch between two modes: Read Only
Read and Write
-
80 | P a g e
Biometric Integrated USB Devices:
Biometric Integrated USB Devices:
-
81 | P a g e
Setting Bios Passwords
BIOS passwords can add an extra layer of security for desktop
and laptop computers. They are used toeither prevent a user from
changing the BIOS settings or to prevent the PC from booting
without apassword. Unfortunately, BIOS passwords can also be a
liability if a user forgets their password, orchanges the password
to intentionally lock out the corporate IT department. Sending the
unit back to themanufacturer to have the BIOS reset can be
expensive and is usually not covered in the warranty. Neverfear,
all is not lost. There are a few known backdoors and other tricks
of the trade that can be used tobypass or reset the BIOS
Upgrading to Windows 7 + UAC
User Account ControlUser Account Control (UAC) helps defend your
PC against hackers and malicious software. Any time aprogram wants
to make a major change to your computer, UAC lets you know and asks
for permission.
In Windows 7, UAC is now less intrusive and more flexible. Fewer
Windows 7 programs and tasks requireyour consent. If you have
administrator privileges on your PC, you can also fine-tune UAC's
notificationsettings in Control Panel.
-
82 | P a g e
User Account Control (UAC) is a feature in Windows that can help
you stay in control of your computer byinforming you when a program
makes a change that requires administrator-level permission. UAC
worksby adjusting the permission level of your user account. If
youre doing tasks that can be done as a standarduser, such as
reading e-mail, listening to m