SECURITY
ADVISORY
ISSUE-3
�SECURITY ADVISORY - ISSUE 3
PREVENTION We hear about new security threats everyday which create havoc in
the Information Technology industry. A statistic on threats that span
the kill chain from pre-attack reconnaissance (exploits) to
IS BETTER weaponization (malware) to post-compromise command and control
(botnets) as of Q2 2017 triggers questions in our mind:
THAN CURE… Are we are protected from such threats?
No organization, regardless How can we prevent our IT systems from getting compromised?
of market cap, is immune When to act against the new threats?
from hacks…
What should be the extent of security measures to prevent any loss
to the organization?
Exploits
5 years back only miniscule organizations were serious about security
184 billion exploit
and most of the other organizations considered security to be a
detections
burden, a numb expenditure.
1.8 billion average daily
volume In the recent years a noticeable amount of loss in the IT industry was
reported as a result of security breaches. Information security breach
6,298 unique exploit made into the front pages of newspapers.
detections
69% of firms saw severe Not only organizations, but individuals started bothering about the
exploits information security risk. Organizations realized that reacting post
occurrence of an incident was not a good idea as the loss could be
tremendous in no time, it could even be so serious that the
Malware organization might never recover back.
62 million detections
Hence the IT industry started looking for a proactive approach
677,000 average daily
which will reduce the chance of huge loss to the organization.
volume
16,582 variants in 2,534
families
18% of firms saw mobile
True Cyber security is
malware preparing for what’s next?
Botnets Not what was last?
2.9 billion botnet
detections
32 million average daily
volume
243 unique botnets
detected
993 daily communications
per firm
Q2 2017, Threat by Numbers
(Fortinet threat Landscape report Q2
2017
01
�SECURITY ADVISORY - ISSUE 3
CIS CRITICAL SECURITY EFFECTIVE CYBER DEFENCE – THE
CONTROLS FOR EFFECTIVE CONTROLS
CYBER DEFENSE
In their white paper Back to Basics: Focus on the First Six CIS Critical
Inventory of Authorized and Security Controls, SANS states that the biggest security gains against
Unauthorized Devices the most common threat vectors can be simply and inexpensively
Inventory of Authorized and achieved by implementing Controls 1–6
Unauthorized Software
Year after year, investigations performed after breaches and other
Secure Configurations for security incidents reveal that the majority of security incidents occur
Hardware and Software on because well-known security controls and practices were not
Mobile Devices, Laptops,
implemented or were not working as organizations had assumed.
Workstations and Servers
Continuous Vulnerability
Implementations of the first six CIS Critical Security Controls have
Assessment and Remediation proven to deliver a highly effective and efficient level of defence
against the majority of real-world attacks and provide the necessary
Controlled Use of foundation for dealing with more advanced attacks.
administration Privileges
Maintenance, Monitoring and
Analysis of Audit Logs
Where to begin with?
Email and Web Browser Getting started is the most important step, and the Controls apply to
Protections
nearly any enterprise—Sify can help!
Malware Defenses
Try to answer and find where your organisation stands in basic cyber
Limitation of control of defence.
Network Ports, Protocols and
Services
Know What You Are Protecting How many unauthorised / unknown
Data Recovery Capability computers are currently connected to
organisation network?
Secure Configurations for
Network Devices Such as How many unauthorised software packages
are running on the organisation computers?
Firewalls, Routers and Switches
What percentage of organisation’s computers
Boundary Defense are running software white listing defences
which blocks unauthorised software programs
Data Protection from running?
Controlled Access Based on
Define Secure Configuration What percentage of Organization’s computers
the Need to Know
Baselines (Operating system and applications) are
Wireless Access Control configured as per organization’s documented
standards?
Account Monitoring and
Control Continuously Monitor What is the comprehensive Common
Vulnerability of Resources Vulnerability Scoring System (CVSS)
Security Skills Assessment and vulnerability rating for each of your
Appropriate Traning to Fill organisations critical systems?
Caps
Limit and Monitor Have you baselined privileged user behaviour,
Application Software Security
Administrative Privileges monitored for outliers, and defined a process
Incident Response and to audit high priority anomalies based on
predefined thresholds?
Management
Penetration Tests and Red Continuous Nothing stands still, do you continuously
Team Excercises Monitoring/Situational monitor & are you aware of situation across
Awareness your IT organisation?
Top 20 Crical Security Controls
defined by CIS ( Version6.1)
02
�SECURITY ADVISORY - ISSUE 3
ASSET INVENTORY – FOUNDATIONAL ELEMENT OF SECURITY
PROGRAM
Keeping an integrated and well maintained Asset Inventory Database with the proper inputs and outputs
can serve as a foundational element in any comprehensive security program.
The first step in most computer attacks is reconnaissance so the attackers can understand the
network.
At the heart of the first two controls is an asset inventory database. The Asset Inventory Database
contains information about what (software, applications, etc.) is running and where (devices).
Many items in the Asset Inventory Database can be discovered through automated scanning. Once
identified through the automated scanning process, additional information can be added such as
asset owner, relationships to other assets, maintenance contracts, support numbers, external access
requirements and application criticality. The database can then be used as a checkpoint to determine
whether a running device or application is authorized.
Alerts or reports can be produced indicating unexpected behaviour when a device or application is
running which is not in the database. Action can then be taken on these alerts investigating and
mitigating, if required, the unexpected application or devices to reduce risk.
DEFINING SECURE CONFIGURATION BASELINES
With an accurate inventory in place, the next step is evaluating the configuration of endpoints against
configuration standards.
Hardening your computer or application is an important step in the fight to protect your personal data and
information. This process works to eliminate means of attack by patching vulnerabilities and turning off
inessential services. Hardening a computer involves several steps to form layers of protection. This
approach to safer computing is often called defence in depth. Good computer security is about finding the
right balance between hardening your system against potential threats and maintaining usability.
Much of this is captured in three simple concepts:
Ensure a system’s security configurations are appropriately set, given the job it needs to do
Ensure operating system software, firmware and applications are updated to stay ahead of exploits
that attack flaws in the underlying code
Ensure this process runs continually, leveraging and employing as much automation as possible
DEFINING SECURE CONFIGURATION BASELINES
Network and device hygiene are perhaps the most neglected elements of security today. As of Q2-2017, a
full 90% of organizations recorded exploits for vulnerabilities that were three or more years old. Even 10+
years after a flaw’s release, 60% of firms still see related attacks.
Through 2020, zero-day vulnerabilities will play a role in less than 0.1% of attacks in general, excluding
sensitive government targets. Vast majority of attacks that are successful exploit well-known
vulnerabilities. Zero-day attacks are what people tend to worry about, but it’s not a typical case. It’s
important that security teams combat existing vulnerabilities and ensure basic security is effective.
Note: Zero-day flaws are unpublished vulnerabilies typically not known by software developers.
03
�SECURITY ADVISORY - ISSUE 3
A continual assessment is required for identifying new weakness and taking action to remediate the
found vulnerabilities.
Figure 3 - PREVALENCE OF VULNERABILITIES TARGETED BY EXPLOITS. GROUPED BY CVE RELEASE YEAR AND COLORED BY SEVERITY
RATING (Trend by Fornet Threat Landscape Report Q2 2017)
Vulnerability Assessment and Penetration Testing (VAPT) comes hand in help for such continual
assessment
In short, Penetration Testing and Vulnerability Assessments perform two different tasks, usually with
different results, within the same area of focus.
Vulnerability assessment tools discover which vulnerabilities are present, but they do not differentiate
between flaws that can be exploited to cause damage and those that cannot.
Penetration tests find exploitable flaws and measure the severity of each.
Together, penetration testing and vulnerability assessment tools provide a detailed picture of the flaws
that exist in an application or a system and the risks associated with those flaws.
Patch Management
Today more than ever, a timely patch management response to vulnerabilities is critical to maintain the
operational availability, confidentiality, and integrity of IT systems. Patches are usually released for three
reasons:
To fix faults in an application or operating system. Many hacker attacks are based on exploiting faults
in the computer code of applications and operating systems. Patches are also released to correct
performance or functionality problems.
To alter functionality or to address a new security threat. An example of this is new virus definitions
for an antivirus application. There was nothing “wrong” with the code of the antivirus program, but it
had to be updated to detect new viruses that did not exist when the application was first released.
To change or modify the software configuration to make it less susceptible to attacks and more
secure.
04
�SECURITY ADVISORY - ISSUE 3
KEEP AN EYE ON ADMINISTRATIVE PRIVILEGES
The majority of criminals are not using valuable zero-day exploits to penetrate corporate networks: they’re
phishing privileged account credentials from executives and IT staffs, or simply guessing passwords for
automated service accounts and, in turn, exploiting that access to gather valuable information. Zero-day
vulnerability are so valuable that attackers apply them in a very limited way.
A compromised privileged account is the difference between a perimeter breach and a cybersecurity
catastrophe. It only takes one compromised privileged account for an attacker to perform malicious
activity.
How to approach this rapidly growing challenge of privileged user account abuse:
See our 5 suggestions on Privileged Identity Management
Click Here for
Previous Advisory
CONTINUOUS MONITORING & SITUATIONAL AWARENESS
In the era of disruptive technology, nothing stands still. IT transforms, new assets are plugged into
organisation’s network every day and new softwares are introduced every moment. New threats and attack
surface from nowhere. Situational awareness is key for security teams to focus on deploying resources in
the most effective and efficient areas to meet business security needs.
The terms ‘continuous’ and ‘ongoing’ in this context mean that security controls and organizational risks are
assessed and analyzed at a frequency sufficient to support risk based security decisions to adequately
protect organization information. Data collection, no matter how frequent, is performed at discrete
intervals.
Establish and measure meaningful security metrics
Monitor those metrics frequently enough to minimize incident impact
Take action rapidly, efficiently and effectively to improve overall security
CONCLUSION
Before anything else, preparation is key to success – Alexander Graham Bell
Identify your organizations critical assets, baseline its configurations, identify critical vulnerability, apply
relevant patches, identify and protect privileged identities and efficiently monitor in continuous term.
05
�SECURITY ADVISORY - ISSUE 3
SIFY OFFERING
Fortknox Service delivers a comprehensive review and assessment of a current security environment. It
addresses the requirement of first six controls of CIS Top 20 controls. Security exposures and risks are
identified within a customer's network and system using industry standard tools. It gives the customer the
benefit of an outside security review of their environment which analyzes and measures their level of
security versus industry standards and best practices.
OS Hardening IDS
Port Scan
Executive
Summary VA
Report
Secure
Fortknox
Security
Patching Syslog
Firewall Configuration Web PT PT
Review Check
FORTKNOX SERVICE DELIVERABLES
OS Hardening: Making an operating system more secure as per the standard practices and
recommendations
IDS Monitoring: A network based IDS to monitor Internet traffic to systems in scope and alert critical
traffic found suspicious in near real time.
Port Scanning: Probe a server or host for open ports.
Vulnerability Assessment: Process of identifying and quantifying vulnerabilities in a system
Syslog Monitoring: The system logs are collected and analyzed every day to find critical alerts in near
real time.
PT: Is a proven method of evaluating the security of computing networks and applications by
simulating a malicious attack.
Web Vulnerability Assessment and Penetration Testing: Performed to discover and enumerate the
weaknesses associated with the web application exposed to the public domain
Configuration Checks: Providing an ongoing server assessment and checks.
Firewall Conduit Review: It is an Audit of vulnerable policies on firewall.
Patch Management: Ensuring system security of Windows Operating System by applying relevant
patches.
Executive Summary Report: An Executive dashboard about the server security posture with
recommendations and records for further action to improve security posture of critical systems.
06
�Sify Technologies Limited
II Floor, TIDEL Park, No.4, Canal Bank Road,
Taramani, Chennai - 600 113, India.
Phone: +91 44 2254 0770-77 | Fax: +91 44 2254 0771
Email: [email protected]
Website: www.sifytechnologies.com
