CHAPTER 10

Endpoint Security and Analysis

• What are some methods of mitigating malware?

• What are the contents of host-based IPS/IDS log entries?

• How do you use a public service to generate a malware analysis report?

• How do you classify endpoint vulnerability assessment information?

• What is the value of network and server profiling?

• How do you classify CVSS reports?

• What are the compliance frameworks and reporting methods?

• How are secure device management techniques used to protect data and assets?

• How are information security management systems used to protect assets?

endpoint page 456

antivirus/antimalware page 459

host-based firewalls page 463

host-based intrusion detection system (HIDS) page 464

sandboxing page 469

profiling page 470

Payment Card Industry Data Security Standard (PCI DSS) page 480

Federal Information Security Management Act of 2002 (FISMA) page 481

Sarbanes-Oxley Act of 2002 (SOX) page 482

Gramm-Leach-Bliley Act (GLBA) page 482

Health Insurance Portability and Accountability Act (HIPAA) page 482

Information Security Management System (ISMS) page 491

This chapter discusses how to investigate endpoint vulnerabilities and attacks.

Devices that remotely access networks through VPNs are also endpoints that need to be considered. These endpoints could inject malware into the VPN network from the public network.

The following points summarize some of the reasons why malware remains a major challenge:

• More than 75% of organizations experienced adware infections from 2015 to 2016.

• From 2016 to early 2017, global spam volume increased dramatically (Figure 10-1); 8 to 10% of this spam can be considered to be malicious (Figure 10-2).

  

  Figure 10-1 Total Spam Volume

  

  Figure 10-2 Malicious Spam Percentage

• Malware that targets the Android mobile operating system was in the top ten most common types of malware found in 2016.

• Several common types of malware have been found to significantly change features in less than 24 hours in order to evade detection.

• DoS attacks on an organization’s network to degrade or even halt public access to it

• Breach of an organization’s web server to deface their web presence

• Breach of an organization’s data servers and hosts to steal confidential information

Various network security devices are required to protect the network perimeter from outside access. As shown in Figure 10-3, these devices could include a hardened router that is providing VPN services, a next-generation firewall (ASA in Figure 10-3), an IPS appliance, and an authentication, authorization, and accounting service (AAA server in Figure 10-3).

However, many attacks originate from inside the network. Therefore, securing an internal LAN is nearly as important as securing the outside network perimeter. Without a secure LAN, users within an organization are still susceptible to network threats and outages that can directly affect an organization’s productivity and profit margin. After an internal host is infiltrated, it can become a starting point for an attacker to gain access to critical system devices, such as servers and sensitive information.

Specifically, there are two internal LAN elements to secure:

• Endpoints: Hosts commonly consist of laptops, desktops, printers, servers, and IP phones, all of which are susceptible to malware-related attacks.

• Network infrastructure: LAN infrastructure devices interconnect endpoints and typically include switches, wireless devices, and IP telephony devices. Most of these devices are susceptible to LAN-related attacks including MAC address table overflow attacks, spoofing attacks, DHCP-related attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.

This chapter focuses on securing endpoints.

Antimalware programs may detect viruses using three different approaches:

• Signature-based: This approach recognizes various characteristics of known malware files.

• Heuristics-based: This approach recognizes general features shared by various types of malware.

• Behavior-based: This approach employs analysis of suspicious behavior.

Many antivirus programs are able to provide real-time protection by analyzing data as it is used by the endpoint. These programs also scan for existing malware that may have entered the system prior to it being recognizable in real time.

Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on every protected machine. Agentless antivirus protection performs scans on hosts from a centralized system. Agentless systems have become popular for virtualized environments in which multiple OS instances are running on a host simultaneously. Agent-based antivirus running in each virtualized system can be a serious drain on system resources. Agentless antivirus for virtual hosts involves the use of a special security virtual appliance that performs optimized scanning tasks on the virtual hosts. An example of this is VMware’s vShield.

In addition to the protection functionality provided by host-based security products is the telemetry function. Most host-based security software includes robust logging functionality that is essential to cybersecurity operations. Some host-based security programs will submit logs to a central location for analysis.

There are many host-based security programs and suites available to users and enterprises. The independent testing laboratory AV-TEST, whose website is shown in Figure 10-6, provides high-quality reviews of host-based protections, as well as information about many other security products.

Protecting endpoints in a borderless network can be accomplished using both network-based and host-based techniques. The following are examples of devices and techniques that implement host protections and the network level:

• Advanced Malware Protection (AMP): This provides endpoint protection from viruses and malware.

• Email Security Appliance (ESA): This provides filtering of spam and potentially malicious emails before they reach the endpoint. An example is the Cisco ESA.

• Web Security Appliance (WSA): This provides filtering of websites and blacklisting to prevent hosts from reaching dangerous locations on the web. The Cisco WSA provides control over how users access the Internet and can enforce acceptable use policies, control access to specific sites and services, and scan for malware.

• Network Admission Control (NAC): This permits only authorized and compliant systems to connect to the network.

These technologies work in concert with each other to give more protection than host-based suites can provide, as shown in Figure 10-7.

• Before an attack: AMP uses global threat intelligence from Cisco’s Talos Security Intelligence and Research Group, and Threat Grid’s threat intelligence feeds to strengthen defenses and protect against known and emerging threats.

• During an attack: AMP uses that intelligence coupled with known file signatures and Cisco Threat Grid’s dynamic malware analysis technology. It identifies and blocks policy-violating file types and exploit attempts, as well as malicious files trying to infiltrate the network.

• After an attack: The solution goes beyond point-in-time detection capabilities and continuously monitors and analyzes all file activity and traffic, regardless of disposition, searching for any indications of malicious behavior. This happens not only after an attack, but also after a file is initially inspected. If a file with an unknown or previously deemed “good” disposition starts behaving badly, AMP will detect it and instantly alert security teams with an indication of compromise. It then provides visibility into where the malware originated, what systems were affected, and what the malware is doing. It also provides the controls to rapidly respond to the intrusion and remediate it with a few clicks. This gives security teams the level of deep visibility and control they need to quickly detect attacks, determine the impact, and contain malware before it causes damage.

Cisco AMP is very flexible and can be deployed on endpoints, on Cisco ASA and FirePOWER firewalls, and on various other appliances, such as ESA, WSA, and Meraki MX.

Host-based firewalls may use a set of predefined policies, or profiles, to control packets entering and leaving a computer. They also may have rules that can be directly modified or created to control access based on addresses, protocols, and ports. Host-based firewall applications can also be configured to issue alerts to users if suspicious behavior is detected. They can then offer the user the ability to allow an offending application to run or to be prevented from running in the future.

Logging data varies depending on the firewall application. It typically includes date and time of the event, whether the connection was allowed or denied, information about the source or destination IP addresses of packets, and the source and destination ports of the encapsulated segments. In addition, common activities such as DNS lookups and other routine events can show up in host-based firewall logs, so filtering and other parsing techniques are useful for inspecting large amounts of log data.

One approach to intrusion prevention is the use of distributed firewalls. Distributed firewalls combine features of host-based firewalls with centralized management. The management function pushes rules to the hosts and may also accept log files from the hosts.

Whether installed completely on the host or distributed, host-based firewalls are an important layer of network security along with network-based firewalls. Here are some examples of host-based firewalls:

• Windows Firewall: First included with Windows XP, Windows Firewall uses a profile-based approach to configuring firewall functionality. Access to public networks is assigned the restrictive Public firewall profile. The Private profile is for computers that are isolated from the Internet by other security devices, such as a home router with firewall functionality. The Domain profile is the third available profile. It is chosen for connections to a trusted network, such as a business network that is assumed to have an adequate security infrastructure. Windows Firewall has logging functionality and can be centrally managed with customized group security policies from a management server such as System Center 2012 Configuration Manager.

• iptables: This is an application that allows Linux system administrators to configure network access rules that are part of the Linux kernel Netfilter modules.

• nftables: The successor to iptables, nftables is a Linux firewall application that uses a simple virtual machine in the Linux kernel. Code is executed within the virtual machine that inspects network packets and implements decision rules regarding packet acceptance and forwarding.

• TCP Wrapper: This is a rule-based access control and logging system for Linux. Packet filtering is based on IP addresses and network services.

A host-based intrusion detection system (HIDS) is designed to protect hosts against known and unknown malware. An HIDS can perform detailed monitoring and reporting on the system configuration and application activity. It can provide log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting. An HIDS will frequently include a management server endpoint, as shown in Figure 10-8.

An HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall functionality. An HIDS not only detects malware but also can prevent it from executing if it should reach a host. Because the HIDS software must run directly on the host, it is considered an agent-based system.

• Anomaly-based: Host system behavior is compared to a learned baseline model. Significant deviations from the baseline are interpreted as the result of some sort of intrusion. If an intrusion is detected, the HIDS can log details of the intrusion, send alerts to security management systems, and take action to prevent the attack. The measured baseline is derived from both user and system behavior. Because many things other than malware can cause system behavior to change, anomaly detection can create many erroneous results, which can increase the workload for security personnel and also lower the credibility of the system.

• Policy-based: Normal system behavior is described by rules, or the violation of rules, that are predefined. Violation of these policies will result in action by the HIDS. The HIDS may attempt to shut down software processes that have violated the rules and can log these events and alert personnel to violations. Most HIDS software comes with a set of predefined rules. With some systems, administrators can create custom policies that can be distributed to hosts from a central policy management system.

OSSEC uses a central manager server and agents that are installed on individual hosts. Currently, agents only exist for Microsoft Windows platforms. For other platforms, OSSEC can also operate as an agentless system, and can be deployed in virtual environments. The OSSEC server can also receive and analyze alerts from a variety of network devices and firewalls over syslog. OSSEC monitors system logs on hosts and also conducts file integrity checking. OSSEC can detect rootkits, and can also be configured to run scripts or applications on hosts in response to event triggers.

The attack surface is continuing to expand, as shown Figure 10-9.

More devices are connecting to networks through the Internet of Things (IoT) and Bring Your Own Device (BYOD). Much of network traffic now flows between devices and some location in the cloud. Mobile device use continues to increase. All of these trends contribute to a prediction that global IP traffic will increase threefold in the next five years.

The SANS Institute describes three components of the attack surface:

• Network Attack Surface: The attack exploits vulnerabilities in networks. This can include conventional wired and wireless network protocols, as well as other wireless protocols used by smartphones or IoT devices. Network attacks also exploit vulnerabilities at the network and transport layers.

• Software Attack Surface: The attack is delivered through exploitation of vulnerabilities in web, cloud, or host-based software applications.

• Human Attack Surface: The attack exploits weaknesses in user behavior. Such attacks include social engineering, malicious behavior by trusted insiders, and user error.

Application blacklists can dictate which user applications are not permitted to run on a computer, as shown in Figure 10-10. Similarly, whitelists can specify which programs are allowed to run, also shown in Figure 10-10. In this way, known vulnerable applications can be prevented from creating vulnerabilities on network hosts.

Whitelists are created in accordance with a security baseline that has been established by an organization. The baseline establishes an accepted amount of risk, and the environmental components that contribute to that level of risk. Non-whitelisted software can violate the established security baseline by increasing risk.

Figure 10-11 shows the Windows Local Group Policy Editor blacklisting and whitelisting settings.

Figure 10-12 shows how entries can be added, in this case to the list of blacklisted applications.

Websites can also be whitelisted and blacklisted. These blacklists can be manually created, or they can be obtained from various security services. Blacklists can be continuously updated by security services and distributed to firewalls and other security systems that use them. Cisco’s FireSIGHT security management system is an example of a device that can access the Cisco Talos security intelligence service to obtain blacklists. These blacklists can then be distributed to security devices within an enterprise network.

As mentioned previously, polymorphic malware changes frequently and new malware appears regularly. Malware will enter the network despite the most robust perimeter and host-based security systems. HIDS and other detection systems can create alerts on suspected malware that may have entered the network and executed on a host. Systems such as Cisco AMP can track the trajectory of a file through the network, and can “roll back” network events to obtain a copy of the downloaded file. This file can then be executed in a sandbox, such as Cisco Threat Grid Glovebox, and the activities of the file documented by the system. This information can then be used to create signatures to prevent the file from entering the network again. The information can also be used to create detection rules and automated plays that will identify other systems that have been infected.

Cuckoo Sandbox is a free malware analysis system sandbox. It can be run locally and have malware samples submitted to it for analysis.

A number of online public sandboxes also exist. These services allow malware samples to be uploaded for analysis. Some of these services are VirusTotal, Payload Security VxStream Sandbox, and Malwr.

Increased utilization of WAN links at unusual times can indicate a network breach and exfiltration of data. Hosts that begin to access obscure Internet servers, resolve domains that are obtained through dynamic DNS, or use protocols or services that are not needed by the system user can also indicate compromise. Deviations in network behavior are difficult to detect if normal behavior is not known.

Tools like NetFlow and Wireshark can be used to characterize normal network traffic characteristics. Because organizations can make different demands on their networks depending on the time of day or day of the year, network baselining should be carried out over an extended period of time. Some questions to ask when establishing a network baseline, as shown Figure 10-13, address important elements of the network profile:

• Session duration: This is the time between the establishment of a data flow and its termination.

• Total throughput: This is the amount of data passing from a given source to a given destination in a given period of time.

• Ports used: This is a list of TCP or UDP processes that are available to accept data.

• Critical asset address space: These are the IP addresses or the logical location of essential systems or data.

In addition, a profile of the types of traffic that typically enter and leave the network is an important tool in understanding network behavior. Malware can use unusual ports that may not be typically seen during normal network operation. Host-to-host traffic is another important metric. Most network clients communicate directly with servers, so an increase of traffic between clients can indicate that malware is spreading laterally through the network. Finally, changes in user behavior, as revealed by AAA, server logs, or a user profiling system like Cisco Identity Services Engine (ISE), is another valuable indicator. Knowing how individual users typically use the network leads to detection of potential compromise of user accounts. A user who suddenly begins logging in to the network at strange times from a remote location should raise alarms if this behavior is a deviation from a known norm.

In order to establish a server profile, it is important to understand the function that a server is intended to perform in a network. From there, various operating and usage parameters can be defined and documented. A server profile may establish the following:

• Listening ports: These are the TCP and UDP daemons and ports that are allowed to be open on the server.

• User accounts: These are the parameters defining user access and behavior.

• Service accounts: These are the definitions of the type of service that an application is allowed to run on a given host.

• Software environment: This contains the tasks, processes, and applications that are permitted to run on the server.

This entails the use of sophisticated statistical and machine learning techniques to compare normal performance baselines with network performance at a given time. Significant deviations can be indicators of compromise.

Anomaly detection can recognize network congestion caused by worm traffic that exhibits scanning behavior. Anomaly detection also can identify infected hosts on the network that are scanning for other vulnerable hosts.

Figure 10-14 illustrates a simplified version of an algorithm designed to detect an unusual condition at the border routers of an enterprise.

For example, the cybersecurity analyst could provide the following values:

• X = 5

• Y = 100

• Z = 30

• N = 500

Now, the algorithm can be interpreted as “Every 5th minute, get a sampling of 1/100th of the flows during second 30. If the number of flows is greater than 500, generate an alarm. If the number of flows is less than 500, do nothing.” This is a simple example of using a traffic profile to identify the potential for data loss.

• Risk analysis: This is a discipline in which analysts evaluate the risk posed by vulnerabilities to a specific organization. A risk analysis includes assessment of the likelihood of attacks, identifies types of likely threat actors, and evaluates the impact of successful exploits on the organization.

• Vulnerability assessment: This test employs software to scan Internet-facing servers and internal networks for various types of vulnerabilities. These vulnerabilities include unknown infections, weaknesses in web-facing database services, missing software patches, unnecessary listening ports, etc. Tools for vulnerability assessment include the open source OpenVAS platform, Microsoft Baseline Security Analyzer, Nessus, Qualys, and FireEye Mandiant services. Vulnerability assessment includes, but goes beyond, port scanning.

• Penetration testing: This type of test uses authorized simulated attacks to test the strength of network security. Internal personnel with hacker experience, or professional ethical hackers, identify assets that could be targeted by threat actors. A series of exploits is used to test security of those assets. Simulated exploit software tools are frequently used. Penetration testing does not only verify that vulnerabilities exist, it actually exploits those vulnerabilities to determine the potential impact of a successful exploit. An individual penetration test is often known as a pen test. Metasploit is a tool used in penetration testing. Core Impact offers penetration testing software and services.

• It provides standardized vulnerability scores that should be meaningful across organizations.

• It provides an open framework with the meaning of each metric openly available to all users.

• It helps prioritize risk in a way that is meaningful to individual organizations.

The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of the CVSS to promote its adoption globally. Version 3.0 was under development for 3 years, and Cisco and other industry partners contributed to the standard.

Many of the metrics address the role of what the CVSS calls an authority. An authority is a computer entity, such as a database, operating system, or virtual sandbox, which grants and manages access and privileges to users.

As shown Figure 10-15, the CVSS uses three groups of metrics to assess vulnerability: Base, Temporal, and Environmental.

• Exploitability: These are features of the exploit such as the vector, complexity, and user interaction required by the exploit.

• Impact: The impacts of the exploit are rooted in the CIA triad of confidentiality, integrity, and availability.

• Attack Vector (AV): This is a metric that reflects the proximity of the threat actor to the vulnerable component. The more remote the threat actor is to the component, the higher the severity. Threat actors close to your network or inside your network are easier to detect and mitigate.

• Attack Complexity (AC): This is a metric that expresses the number of components, software, hardware, or networks that are beyond the attacker’s control and that must be present in order for a vulnerability to be successfully exploited.

• Privileges Required (PR): This is a metric that captures the level of access that is required for a successful exploit of the vulnerability.

• User Interaction (UI): This metric expresses the presence or absence of the requirement for user interaction in order for an exploit to be successful.

• Scope (S): This metric expresses whether multiple authorities must be involved in an exploit. This is expressed as whether the initial authority changes to a second authority during the exploit.

The Base metric group Impact metrics increase with the degree or consequence of loss due to the impacted component. Impact metrics include:

• Confidentiality Impact (C): This is a metric that measures the impact to confidentiality due to a successfully exploited vulnerability. Confidentiality refers to the limiting of access to only authorized users.

• Integrity Impact (I): This is a metric that measures the impact to integrity due to a successfully exploited vulnerability. Integrity refers to the trustworthiness and authenticity of information.

• Availability Impact (A): This is a metric that measures the impact to availability due to a successfully exploited vulnerability. Availability refers to the accessibility of information and network resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability.

The CVSS process uses a tool called the CVSS v3.0 Calculator, shown in Figure 10-16.

The calculator is similar to a questionnaire in which choices are made that describe the vulnerability for each metric group. After all choices are made, a score is generated. Pop-up text that offers an explanation for each metric and metric value are displayed by hovering a mouse over each. Choices are made by choosing one of the values for the metric. Only one choice can be made per metric.

A detailed user guide that defines metric criteria, examples of assessments of common vulnerabilities, and the relationship of metric values to the final score is available to support the process.

After the Base metric group is completed, the numeric severity rating is displayed, as shown in Figure 10-17.

A vector string is also created that summarizes the choices made. If other metric groups are completed, those values are appended to the vector string. The string consists of the initial(s) for the metric, and an abbreviated value for the selected metric value separated by a colon. The metric-value pairs are separated by slashes. An example vector for the Base metric group is shown in the Figure 10-18. The vector strings allow the results of the assessment to be easily shared and compared.

In order for a score to be calculated for the Temporal or Environmental metric groups, the Base metric group must first be completed. The Temporal and Environmental metric values then modify the Base metric results to provide an overall score. The interaction of the scores for the metric groups is shown in Figure 10-19.

Frequently, the Base and Temporal metric group scores will be supplied to customers by the application or security vendor in whose product the vulnerability has been discovered. The affected organization completes the Environmental metric group to tailor the vendor-supplied scoring to the local context.

The resulting score serves to guide the affected organization in the allocation of resources to address the vulnerability. The higher the severity rating, the greater the potential impact of an exploit and the greater the urgency in addressing the vulnerability. While not as precise as the numeric CVSS scores, the qualitative labels are very useful for communicating with stakeholders who are unable to relate to the numeric scores.

In general, any vulnerability that exceeds 3.9 should be addressed. The higher the rating level, the greater the urgency for remediation.

To prevent similar losses, a number of security compliance regulations have emerged. The regulations offer a framework for practices that enhance information security while also stipulating incidence response actions and penalties for failure to comply. Organizations can verify compliance through the process of compliance assessment and audit. Assessments verify compliance or noncompliance for informational purposes. Audits also verify compliance but can result in consequences, such as financial penalties or loss of business opportunity.

This topic will discuss and differentiate the important and far reaching compliance regulations.

PCI DSS applies to any entity that stores, processes, and/or transmits data about credit cardholders. As shown in Figure 10-20, cardholder data includes

• Cardholder name

• Primary account number (PAN)

• Expiration date

• Service Code (part of the magnetic strip)

• Card Verification Code (CVC), Card Verification Value (CVV), Card Security Code (CSC)

• Card Identification Code (CID)

• Sensitive data stored on magnetic strip or chip

Many network management platforms include compliance reporting in their security management–related functionalities.

Risk management is an ongoing, multistep, cyclical process, as shown in Figure 10-21.

Risk is determined as the relationship between threat, vulnerability, and the nature of the organization. It first involves answering the following questions as part of a risk assessment:

• Who are the threat actors who want to attack us?

• What vulnerabilities can threat actors exploit?

• How would we be affected by attacks?

• What is the likelihood that different attacks will occur?

NIST Special Publication 800-30 describes risk assessment as:

…the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.

A mandatory activity in risk assessment is the identification of threats and vulnerabilities and the matching of threats with vulnerabilities in what is often called threat-vulnerability (T-V) pairing. The T-V pairs can then be used as a baseline to indicate risk before security controls are implemented. This baseline can then be compared to ongoing risk assessments as a means of evaluating risk management effectiveness. This part of risk assessment is referred to as determining the inherent risk profile of an organization.

After the risks are identified, they may be scored or weighted as a way of prioritizing risk reduction strategies. For example, vulnerabilities that are found to have corresponded with multiple threats can receive higher ratings. In addition, T-V pairs that map to the greatest institutional impact will also receive higher weightings.

There are four potential ways to respond to risks that have been identified, based on their weightings or scores:

• Risk avoidance: Stop performing the activities that create risk. It is possible that as a result of a risk assessment, it is determined that the risk involved in an activity outweighs the benefit of the activity to the organization. If this is found to be true, then it may be determined that the activity should be discontinued.

• Risk reduction: Decrease the risk by taking measures to reduce vulnerability. This involves implementing management approaches discussed earlier in this chapter. For example, if an organization uses server operating systems that are frequently targeted by threat actors, risk can be reduced through ensuring that the servers are patched as soon as vulnerabilities have been addressed.

• Risk sharing: Shift some of the risk to other parties. For example, a risk-sharing technique might be to outsource some aspects of security operations to third parties. Hiring a security as a service (SECaaS) CSIRT to perform security monitoring is an example. Another example is to buy insurance that will help to mitigate some of the financial losses due to a security incident.

• Risk retention: Accept the risk and its consequences. This strategy is acceptable for risks that have low potential impact and relatively high cost of mitigation or reduction. Other risks that may be retained are those that are so dramatic that they cannot realistically be avoided, reduced, or shared.

Vulnerability management requires a robust means of identifying vulnerabilities based on vendor security bulletins and other information systems such as CVE. Security personnel must be competent in assessing the impact, if any, of vulnerability information they have received. Solutions should be identified with effective means of implementing and assessing the unanticipated consequences of implemented solutions. Finally, the solution should be tested to verify that the vulnerability has been eliminated.

The steps in the Vulnerability Management Life Cycle, shown in Figure 10-22, are described below:

• Discover: Inventory all assets across the network and identify host details, including operating systems and open services, to identify vulnerabilities. Develop a network baseline. Identify security vulnerabilities on a regular automated schedule.

• Prioritize assets: Categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations.

• Assess: Determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability, threats, and asset classification.

• Report: Measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities.

• Remediate: Prioritize according to business risk and address vulnerabilities in order of risk.

• Verify: Verify that threats have been eliminated through follow-up audits.

In publication NISTIR 8011 Volume 2, NIST specifies the detailed records that should be kept for each relevant device. NIST describes potential techniques and tools for operationalizing an asset management process:

• Automated discovery and inventory of the actual state of devices

• Articulation of the desired state for those devices using policies, plans, and procedures in the organization’s information security plan

• Identification of noncompliant authorized assets

• Remediation or acceptance of device state, possible iteration of desired state definition

• Repeat the process at regular intervals, or ongoing

Figure 10-23 provides an overview of this process.

Due to the diversity of mobile devices, it is possible that some devices that will be used on the network are inherently less secure than others. Network administrators should assume that all mobile devices are untrusted until they have been properly secured by the organization.

MDM systems, such as Cisco Meraki Systems Manager, shown in Figure 10-24, allow security personnel to configure, monitor, and update a very diverse set of mobile clients from the cloud.

Configuration management extends to the software and hardware configuration of networking devices and servers as well. As defined by NIST, configuration management “comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems.”

For internetworking devices, software tools are available that will back up configurations, detect changes in configuration files, and enable bulk change of configurations across a number of devices.

With the advent of cloud data centers and virtualization, management of numerous servers presents special challenges. Configuration management tools like Puppet, Chef, Ansible, and SaltStack were developed to allow efficient management of servers that enable cloud-based computing.

Patch management is required by some security compliance regulations, such as SOX and HIPAA. Failure to implement patches in a systematic and timely manner could result in audit failure and penalties for noncompliance. Patch management depends on asset management data to identify systems that are running software that requires patching. Figure 10-25 shows a screenshot of the SolarWinds Patch Manager tool.

• Agent-based: This requires a software agent to be running on each host to be patched. The agent reports whether vulnerable software is installed on the host. The agent communicates with the patch management server, determines if patches exist that require installation, and installs the patches (Figure 10-26). The agent runs with sufficient privileges to allow it to install the patches. Agent-based approaches are the preferred means of patching mobile devices.

  

  Figure 10-26 Agent-Based Patch Management

• Agentless scanning: Patch management servers scan the network for devices that require patching. The server determines which patches are required and installs those patches on the clients (Figure 10-27). Only devices that are on scanned network segments can be patched in this way. This can be a problem for mobile devices.

  

  Figure 10-27 Agentless Scanning Patch Management

• Passive network monitoring: Devices requiring patching are identified through the monitoring of traffic on the network (Figure 10-28). This approach is only effective for software that includes version information in its network traffic.

  

  Figure 10-28 Passive Network Monitoring Patch Management

ISMSs are a natural extension of the use of popular business models, such as Total Quality Management (TQM) and Control Objectives for Information and Related Technologies (COBIT), into the realm of cybersecurity.

An ISMS is a systematic, multilayered approach to cybersecurity. The approach includes people, processes, technologies, and the cultures in which they interact in a process of risk management.

An ISMS often incorporates the “plan-do-check-act” framework, known as the Deming cycle, from TQM. It is seen as an elaboration on the process component of the People-Process-Technology-Culture model of organizational capability, as shown in Figure 10-29.

ISO partnered with the International Electrotechnical Commission (IEC) to develop the ISO/IEC 27000 family of specifications for ISMSs, as shown in Table 10-2.

The ISO 27001 Certification is a global, industry-wide specification for an ISMS. Figure 10-30 illustrates the relationship of actions stipulated by the standard with the plan-do-check-act cycle.

The details of each action are as follows:

Plan

• Understand relevant business objectives

• Define scope of activities

• Access manage support

• Assess and define risk

• Perform asset management and vulnerability assessment

Do

• Create and implement risk management plan

• Establish and enforce risk management policies and procedures

• Train personnel, allocate resources

Check

• Monitor implementation

• Compile reports

• Support external certification audit

Act

• Continually audit processes

• Continual process improvement

• Take corrective action

• Take preventive action

Certification means an organization’s security policies and procedures have been independently verified to provide a systematic and proactive approach for effectively managing security risks to confidential customer information.

NIST has developed the Cybersecurity Framework, which, like ISO/IEC 27000, is a set of standards designed to integrate existing standards, guidelines, and practices to help better manage and reduce cybersecurity risk. The Framework was first issued in February 2014 and continues to undergo development.

The Framework consists of a set of activities suggested to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The core functions, defined in Table 10-3, are split into major categories and subcategories.

The major categories provide an understanding of the types of activities related to each function, as shown in Table 10-4.

Organizations of many types are using the Framework in a number of ways. Many have found it helpful in raising awareness and communicating with stakeholders within their organization, including executive leadership. The Framework is also improving communications across organizations, allowing cybersecurity expectations to be shared with business partners, suppliers, and among sectors. By mapping the Framework to current cybersecurity management approaches, organizations are learning and showing how they match up with the Framework’s standards, guidelines, and best practices. Some parties are using the Framework to reconcile internal policy with legislation, regulation, and industry best practice. The Framework also is being used as a strategic planning tool to assess risks and current practices.

Cybersecurity analysts and security experts use a variety of tools to perform endpoint vulnerability assessments. Network and device profiling provide a baseline that serves as a reference point for identifying deviations from normal operations. Similarly, server profiling is used to establish the accepted operating state of servers. Network security can be evaluated using a variety of tools and services, including:

• Risk analysis to evaluate the risk posed by vulnerabilities to a specific organization

• Vulnerability assessment, which uses software to scan Internet-facing servers and internal networks for various types of vulnerabilities

• Penetration testing, which uses authorized simulated attacks to test the strength of network security

The Common Vulnerability Scoring System (CVSS) is a risk assessment designed to convey the common attributes and severity of vulnerabilities in computer hardware and software systems. The benefits of CVSS include:

• Standardized vulnerability scores that should be meaningful across organizations

• Open framework with the meaning of each metric openly available to all users

• Prioritization of risk in a way that is meaningful to individual organizations

A number of security compliance regulations have emerged, including:

• Federal Information Security Management Act of 2002 (FISMA): This provides security standards for U.S. government systems and contractors to the U.S. government.

• Sarbanes-Oxley Act of 2002 (SOX): This provides the requirements for the way in which U.S. corporations control and disclose financial information.

• Gramm-Leach-Bliley Act (GLBA): This states that financial institutions must secure customer information, protect against threats to customer information, and protect against unauthorized access to customer information.

• Health Insurance Portability and Accountability Act (HIPAA): This requires that all patient personally identifiable healthcare information be stored, maintained, and transmitted in ways that ensure patient privacy and confidentiality.

• Payment Card Industry Data Security Standard (PCI DSS): This is a proprietary, non-governmental standard for the secure handling of customer credit card data.

Risk management involves the selection and specification of security controls for an organization. There are four potential ways to respond to risks that have been identified, based on their weightings or scores:

• Risk avoidance, if it is determined that the activity should be discontinued

• Risk reduction, by implementing management approaches to reduce vulnerability

• Risk sharing, to shift risk by outsourcing some aspects of security operations to third parties

• Risk retention and acceptance, for risks that have low potential impact and/or relatively high cost of mitigation or reduction

Risk management tools include:

• Vulnerability management

• Asset management

• Mobile device management

• Configuration management

• Enterprise patch management

Organizations can use an Information Security Management System (ISMS) to identify, analyze, and address information security risks. Standards for managing cybersecurity risk are available from ISO and NIST.

1. Which HIDS is an open source product?

1. Tripwire

2. OSSEC

3. Cisco AMP

4. AlienVault USM

2. In Windows Firewall, when is the Domain profile applied?

1. When the host accesses the Internet

2. When the host checks emails from an enterprise email server

3. When the host is connected to a trusted network such as an internal business network

4. When the host is connected to an isolated network from the Internet by another security device

3. Which function does CVSS provide?

1. Risk assessment

2. Penetration testing

3. Vulnerability assessment

4. Central security management service

4. In addressing an identified risk, which strategy aims to decrease the risk by taking measures to reduce vulnerability?

1. Risk sharing

2. Risk retention

3. Risk reduction

4. Risk avoidance

5. Which regulatory compliance regulation specifies security standards for U.S. government systems and contractors to the U.S. government?

1. Gramm-Leach-Bliley Act (GLBA)

2. Sarbanes-Oxley Act of 2002 (SOX)

3. Health Insurance Portability and Accountability Act (HIPAA)

4. Federal Information Security Management Act of 2002 (FISMA)

6. Which three devices are possible examples of network endpoints? (Choose three.)

1. Router

2. Sensor

3. Wireless AP

4. IoT controller

5. VPN appliance

6. Network security camera

7. Which antimalware software approach can recognize various characteristics of known malware files to detect a threat?

1. Routing-based

2. Behavior-based

3. Signature-based

4. Heuristics-based

8. As described by the SANS Institute, which attack surface includes the exploitation of vulnerabilities in wired and wireless protocols used by IoT devices?

1. Human Attack Surface

2. Internet Attack Surface

3. Network Attack Surface

4. Software Attack Surface

9. In profiling a server, what defines what an application is allowed to do or run on a server?

1. User accounts

2. Listening ports

3. Service accounts

4. Software environment

10. Which class of metric in the CVSS Basic metric group defines the features of the exploit such as the vector, complexity, and user interaction required by the exploit?

1. Impact

2. Exploitability

3. Modified Base

4. Exploit Code Maturity

11. Which step in the Vulnerability Management Life Cycle performs inventory of all assets across the network and identifies host details, including operating system and open services?

1. Assess

2. Discover

3. Remediate

4. Prioritize assets

12. In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization, including assessment of the likelihood of attacks and the impact of successful exploits on the organization?

1. Risk analysis

2. Port scanning

3. Penetration testing

4. Vulnerability assessment