Implementing Security Controls

al4629740
al4629740 used Ask the Experts™
on
The term security controls will be discussed in a meeting I have next week and implementation.  How would you define in practical terms what security controls are on a network and how would they be tested periodically in the way of examples?  

It may seem like an abstract question, but I would like to see what the responses are to the question.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ugra Narayan PandeyCloud Security Expert

Commented:
Hi,

When we talking about Network Security Controls, we have to understand how to secure the endpoint network to protect company information from unwanted access.

Three Types of Network Security Controls are Preventative, Detective, and Responsive

Next, we have to understand what are the common security controls responsibility:

1. Create common controls documentation in your security Plan
2. Ensure when your security plan is developing, implementing and assessing by qualifies security experts.
3. Make a document which having assessment plan and implementation reports.
4. Execute your security plan without any limitations or errors.
5. Receive security plan authorization from designated officers.
6. Monitoring common control effectiveness on an ongoing basis.

Thanks
David FavorLinux/LXD/WordPress/Hosting Savant
Distinguished Expert 2018

Commented:
You are correct, this is an abstract question. With no context tough to give anything useful.

Here's my approach to network security... which I use with 1000s of sites...

Simple.

All conversations run encrypted. This means no plain text protocols are allowed.

All traffic runs as HTTPS, FTPS, IMAP4S, POP3S, MySQL... also any oddball API ports... Every shred of traffic runs encrypted. Period. No exception.

This covers practical, day to day security.

Testing is simple too. Just run tshark or other command line scraper looking for human readable text. If you find any, then some app has been missed + must be locked down (encrypted traffic) also.
Commented:
In the CISSP All-in-One Exam Guide, Eighth Edition 8th Edition by Shon Harris  stated:
"..........The different functionalities of security controls are preventive, detective, corrective, deterrent, recovery, and compensating. By having a better understanding of the different control functionalities, you will be able to make more informed decisions about what controls will be best used in specific situations. The six different control functionalities are as follows:
• Preventive - Intended to avoid an incident from occurring
• Detective - Helps identify an incident’s activities and potentially an intruder
• Corrective - Fixes components or systems after an incident has occurred
• Deterrent - Intended to discourage a potential attacker
• Recovery - Intended to bring the environment back to regular operations
• Compensating - Controls that provide an alternative measure of control........."

When you implement controls, keep in mind the CIA (confidentiality, integrity, availability). These three are the principles of security control. I usually define security controls into three main categories:
• Technical controls are hardware or software installations that are implemented to monitor and prevent threats and attacks such as installing and configuring a network firewall is a type of technical control.
• Physical controls are security measures that restrict, detect, and monitor access to specific physical areas or assets.
• Administrative controls, also called management controls, monitor an organization's adherence to security policies and procedures.

To provide Secure Network infrastructure and services consider these points:
• Defense in depth principle.
• Use threat modeling to map the attack surface.
• Make sure devices and network services are configured to minimize open network ports.
• Make sure devices and network services are protected against Denial of Service (DoS) attacks.
• Do not expose unauthenticated protocols or channels, such as TFTP and Telnet
• Use encrypted protocols to protect data in transit, or encrypt data before transmitting it.
• Use appropriately configured and up-to-date SSL/TLS.
• Provide an account lockout feature after a certain number of failed access attempts.
• Implement patch management to receive upgrades and security fixes.
• Enable logging capabilities, use SIEM products
• Implement redundancy measures to mitigate hardware failures, which have a severe impact on availability.
...etc


Refer:
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
Cisco's security blog http://blogs.cisco.com/security
SANS blogs http://www.sans.org/security-resources/blogs
SANS https://www.sans.org/security-resources/posters/security-leadership-poster/135/download
SANS https://www.sans.org/media/critical-security-controls/SANS_CSC_Poster.pdf
CIS https://learn.cisecurity.org/cis-controls-download
EE https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html
EE https://www.experts-exchange.com/articles/31793/Vulnerability-Assessments-versus-Penetration-Tests.html
EE https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html
EE https://www.experts-exchange.com/articles/33288/Secure-SDLC-Principles-and-Practices.html
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

btanExec Consultant
Distinguished Expert 2018

Commented:
Defend your network by segmentation and compartmentalise the critical servers from the non critical system; go into the proactive stance such as employs an active defense faces when attacked:

A. Uses a deception-based cybersecurity system to put decoy data and attack points all over its IT landscape.

B. An attacker gains access inside the perimeter of the network and is lured into accessing one of the decoys or the deception bait.

C. At this point, an alert is raised and security analysts can make a choice: Shut down the attack or contain the attack within the deception environment and observe what the attacker does next through forensic analysis.

I will also need to come from "when" (not "if") strategy

1. Control the Scope of Damage - Quarantine the known infected systems and contain the attack in an isolated environment. Perform forensic analysis to better understand the attack. Once an attack is detected, the learning process can begin.

2. Execute Standard Countermeasures - Execute playbooks for automated or manual responses. The ability to analyze the nature of an attack can in part be automated and made into playbooks to execute at the time of an attack.

This type of automation can take the form of programs that find out everything about the traffic that came from a certain IP address or that crossed boundaries that no normal traffic should.

3. Perform Threat Detection and Hunting - Search for evidence of similar attacks. Once you understand how an attack is working and what it wants to do next, you can use that insight to search methodically through your IT landscape to find similar infections that may not have been detected and fully remediated.

4. Gather Threat Intelligence - Record and share the nature of the attack with others. Native integrations between vendors actively remove internal information silos and improve productivity.

You’ve got prevention, detection, response, and the increasing application of predictive technologies. For these to work together, you need to be able to collect and easily share information, automate processes, and retain information so that it can be reused in repeatable playbooks and processes. Embracing an active defense helps.


Some reference

https://www.experts-exchange.com/articles/33354/Make-the-RIGHT-Security-by-Building-Your-Security-PIVOT.html

https://www.experts-exchange.com/articles/32315/Know-the-Threat-better-STRIKE-out-with-a-Threat-Risk-TABLET.html

https://www.experts-exchange.com/articles/32100/Making-the-RIGHT-Security-Adopt-a-RISK-based-approach.html

https://www.experts-exchange.com/articles/28821/What's-in-an-Incident-Response-Plan.html

https://www.experts-exchange.com/articles/17367/What-is-a-good-Security-Action-Plan.html

Author

Commented:
Wow.  I guess we have a lot more work to go after seeing the above comments.  Here is what I began to start on in the following document, but it appears there are many other aspects.  I certainly welcome your feedback as to what I have so far.

Thanks
Security-Meeting.docx

Commented:
Sample: Shon Harris -  Control Types and Functionality - CISSP All-in-One
Shon Harris -  Control Types and Functionality

Check NIST (Contain details on the security controls)  https://csrc.nist.gov/publications/detail/sp/800-53/rev-3/archive/2010-05-01
SANS https://www.sans.org/course/critical-security-controls-planning-implementing-auditing?msc=cishp
btanExec Consultant
Distinguished Expert 2018

Commented:
I am thinking of the cybersecurity framework of NIST instead. This framework is built upon concepts to organize information, enable risk management decisions, address threats, and improve through lessons learned.

The foundation to these concepts are aligned within five core functions:

Identify
Protect
Detect
Respond
Recover

And one of the  best way to discern the control is to reference CIS critical 20.

A cross mapping of CSF and CIS is useful.
https://www.cisecurity.org/blog/cis-controls-version-7-whats-old-whats-new/

The CIS Controls are a free cybersecurity best practices resource for any organization to download and implement. They provide clear, prioritized guidance to help organizations tackle the most pervasive cybersecurity threats.

Commented:
Agree with btan; when you plan your Information Security Controls include the following:
a. Access Control
b. Identification and Authentication
c. Awareness and Training
d. Audit and Accountability
e. Certification, Accreditation, Security and Risk Assessments
f. System and Communications Protection
g. Configuration Management
h. Contingency Planning
i. Incident Response
j. Maintenance
k. Media Protection
l. Physical and Environmental Protection
n. Personnel Security
o. System and Services Acquisition
p. System and Information Integrity

Commented:
The CIS Critical Controls and similar articles are the actual controls that are relevant to all, by following these you are implementing controls/best practices, call it what you will.

https://www.cisecurity.org/controls/

There could be hundreds, e.g. applying the latest OS and software security patches is a control, limiting who has admin rights on servers is a control, enforcing a complex password policy for domain users is a control, having a process to promptly disable network & application access once an employee leaves a company is a control etc. There are literally hundreds of things you could class as a control.

Controls is an audit term by the way, an auditor would evaluate your information systems using a checklist/often with automated tools, which has a set of 'controls' (best practices) to check your configuration & processes against. you normally have an internal audit or risk function whose day to day job is to evaluate systems against controls & best practices and suggest recommendations for control improvements. Historically audit would be seen as an anti-fraud function but while that is still true they often have technical IT auditors in the teams who focus on information security, data privacy, compliance against security standards and so forth.

Using internal audits, and tools like vulnerability scanners are some ways of testing network controls, or any other 3rd party independent assurance. There are also physical security aspects to consider in terms of data centres, DR sites etc.If you download the CIS controls I linked above you have a huge list of best practices to self-audit against, you could break them down into individual reviews, and identify any opportunities for improvements and suggest to the board you are working with to get any investment & resources required to make the necessary improvements/remedial work.

Author

Commented:
What are some vulnerability scanners that are typically used?  Wireshark?

Commented:
Vulnerability Assessment
• Nessus
• Nmap   https://pen-testing.sans.org/blog/2013/10/08/nmap-cheat-sheet-1-0#
• System Administrator’s Integrated Network Tool (SAINT)
• IBM Internet Scanner
• Retina
• GFI LanGuard
• Microsoft Baseline Security Analyzer (MBSA)
• OpenVAS
• GoLismero
btanExec Consultant
Distinguished Expert 2018

Commented:
Vulnerability management (beyond just scanner and include asset discovery and compliance checks)  is important and a security asset to be equipped together with a central portal to manage the collected event, alerts and policy compliance status.

Human errors is reduced with technology and automation. There can be false positive at time but minimal.

Nessus is one of the leading solution worth considering.

Author

Commented:
Are any free?
btanExec Consultant
Distinguished Expert 2018

Commented:
There are free and trial version. Nessus is commercial though

List of the best network vulnerability scanners:

SolarWinds Network Configuration Manager (FREE TRIAL) – Free for 30 days with no obligation to move on to the paid version, this is a very comprehensive configuration manager that scans for device settings that create vulnerabilities.

Paessler Network Vulnerability Monitoring with PRTG (FREE TRIAL) – Part of the PRTG resource monitoring system, this tool checks logs and monitors traffic patterns as well as guarding ports and resource usage. It is free to use for up to 100 sensors.

OpenVAS – The Open Vulnerability Assessment System is a free vulnerability manager for Linux that can be accessed on Windows through a VM.

Microsoft Baseline Security Analyzer (MBSA) – Free and easy-to-use tool that check Microsoft products for vulnerabilities.

Retina Network Scanner Community Edition – Free to scan up to 256 IP addresses, this system relies on a central database of known weaknesses.

Nexpose Community Edition – Free for scans of up to 32 IP addresses, this tool discovers and logs your network-connected devices, highlighting any known vulnerabilities in each.

Kaspersky Software Updater – A free utility for Windows that will install available updates for any of your software, not just Kaspersky products.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial