Centrify and the SANS Top 20

I know a very successful high school wrestling coach who has this running bit he does all the time at social events, cocktail parties, and random water cooler conversations.  When asked why his teams are consistently good year after year, he always responds with, “I’ve discovered the ancient secret to staying extremely physically fit.” After a bit of egging on, he’ll reluctantly divulge this long lost tidbit of knowledge he stumbled upon while reading some ancient scrolls. “The secret to staying extremely physically fit,” he begins, always followed by an over-the-top dramatic pause, “is to eat right and exercise.”

Just like maintaining excellent physical fitness, creating and maintaining a high level of IT security fitness is really a matter of practical sense, with of course the devil being in the details. This is the last of a 3 part blog in which I’m discussing three federal and industry standard security controls, and it will concern itself with the most detailed oriented one of them: The SANS Top 20 Critical Controls.  (The previous 2 blogs addressed NIST 800-53 and the DHS CDM program.)

The SANS list is not a security mandate or program like the other security checklists I’ve discussed. It’s really a sub-set of NIST 800-53 in terms of practical implementation in the real world. Its goal is to “prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a must do first philosophy.” Since the controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.

The biggest complaint I hear most often about security controls and compliance mandates is that they are too generic and open to misinterpretation. They contain words such as”use firewalls and enforce separation of duties” instead of “use host-based firewalls with a default-deny rule and assign privileges to groups instead of individuals in Active Directory.” The SANS list is different in this regard as its language is more specific. It reads closer to actionable intelligence than lofty goals, offering detailed solutions for improving the fitness of your IT Security by subdividing each of the 20 controls into specific tasks and requirements. The Centrify Server Suite fulfills many of these requirements, as summarized in the table below:

SANS Top 20 Critical Security Controls Centrify Server Suite Software
CSC 3-1,3,7,10: Secure Configurations

  • (1) Establish and ensure the use of standard secure configurations of your operating systems
  • (3) Limit administrative privileges to very few users who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system
  • (7) Do all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL or IPSEC
  • (10) Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals
DirectControl and DirectAuthorize

  • Group Policy provides a secure and automated method for centrally managing security and configuration settings
  • Restricts access methods and privileges based on job role
  • Enforces least-privilege rights management by limiting users to a specific set of commands
  • Consolidates non-Windows user identities in Active Directory so that all accounts can be centrally managed using existing automated tools and processes
  • Uses unique Zone technology to create logical groupings of systems that have a discrete set of users, administrators and policies
  • Sets up authenticated and encrypted connection between Active Directory and managed systems to protect the movement of authentication, policy and audit data

DirectSecure

  • Secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.
  • Leverages IPsec in transport mode for network security , and this security is applied to each packet individually and leverages PKI credentials to establish unique session authentication keys for each security association
CSC 6-6: Application Software Security

  • Maintain separate environments for production and nonproduction systems. Developers should not typically have unmonitored access to production environments
DirectControl and DirectAuthorize

  • Uses unique Zone technology to create logical groupings of systems that have a discrete set of users, administrators and policies
  • Restricts access methods and privileges based on job role
CSC 7-1,4,9: Wireless Access Control

  • (1) Ensure that each wireless device connected to the network matches an authorized configuration and security profile
  • (4) Configure wireless access on client machines to allow access only to authorized wireless networks
  • (9) Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need
DirectControl and DirectAuthorize

  • Group Policy provides a secure and automated method for centrally managing security and configuration settings, including setting default wireless profiles, 802.1x settings and disabling Bluetooth
CSC 8-3: Data Recovery Capability

  • Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services
DirectSecure

  • Secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.
CSC 11-2: Limitation and control of network ports, protocols and services

  • Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed
DirectControl and DirectAuthorize

  • Group Policy provides a secure and automated method for centrally managing security and configuration settings, including default firewall rules
CSC 12-1,3,4,8,9,10,12: Controlled use of admin privileges

  • (1) Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior
  • (3) Configure all administrative passwords to be complex and contain letters, numbers, and special characters intermixed, and with no dictionary words present in the password
  • (4) Before deploying any new devices in a networked environment, change all default passwords for applications and operating systems to have values consistent with administration-level accounts
  • (8) Through policy and user awareness, require that administrators establish unique, different passwords for their administrative and non-administrative accounts. Each person requiring administrative access should be given his/her own separate account. Users should only use the Windows “administrator” or UNIX “root” accounts in emergency situations. Domain administration accounts should be used when required for system administration instead of local administrative accounts
  • (9) Configure operating systems so that passwords cannot be re-used within a timeframe of six months
  • (10) Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators’ group, or when a new local administrator account is added on a system
  • (12) Use multifactor authentication for all administrative access, including domain administrative access. Multi-factor authentication can include a variety of techniques, to include the use of smart cards with certificates, One Time Password (OTP) tokens, and biometrics
DirectControl and DirectAuthorize

  • Consolidates non-Windows user identities in Active Directory so that all accounts can be centrally managed using existing automated tools and processes
  • Links all entitlements and actions to a single, definitive and centrally managed user identity in Active Directory
  • Restricts access methods and privileges based on job role
  • Enforces least-privilege rights management by limiting users to a specific set of commands
  • Allows Active Directory password policies to be applied to admin accounts on non-windows machines
  • Supports smart card authentication for Mac & Linux workstations

DirectAudit

  • Captures complete admin session details: who accessed the system, what commands they entered, and the system output
  • Provides unique ability to replay admin sessions to clearly establish outcomes of user activity
  • Enables both real-time and historical monitoring of admin sessions, and features robust search and reporting capabilities
CSC 13-1: Boundary Defense

  • Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists).
DirectControl and DirectAuthorize

  • Group Policy provides a secure and automated method for centrally managing security and configuration settings, including default firewall rules

DirectSecure

  • Secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.
  • Leverages AD to seamlessly block untrusted systems from communicating with trusted systems.
CSC 14-5,7,10: Audit log maintenance, monitoring, analysis

  • (5) Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs
  • (7) For all servers, ensure that logs are written to write-only devices or to dedicated logging servers running on separate machines from the hosts generating the event log
  • (10) Ensure that the log collection system does not lose events during peak activity
DirectAudit

  • Captures complete session details: who accessed the system, what commands they entered, and the system output
  • Provides unique ability to replay sessions to clearly establish outcomes of user activity
  • Enables both real-time and historical monitoring of sessions, and features robust search and reporting capabilities
  • Agents immediately send captured data off the host to DirectAudit Collectors
  • Designed for massive scalability across very large enterprises
CSC 15-1,3: Controlled Access based on need to know

  • (1) All communication of sensitive information over less-trusted networks should be encrypted
  • (3) Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data
DirectControl and DirectAuthorize

  • Group Policy provides a secure and automated method for centrally managing security and configuration settings, including default auditing configurations
  • All login activities on Unix, Linux and Mac systems are stored in Active Directory Event logs

DirectAudit

  • Captures complete session details: who accessed the system, what commands they entered, and the system output

DirectSecure

  • Secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.
  • Leverages AD to seamlessly block untrusted systems from communicating with trusted systems.
CSC 16-3,6,7,8,9,11,12,13,14,15,16,17: Account monitoring and control

  • (3) Ensure that systems automatically create a report that includes a list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire
  • (6) Configure screen locks on systems to limit access to unattended workstations
  • (7) Monitor account usage to determine dormant accounts, notifying the user or user’s manager. Disable such accounts if not needed, or document and monitor exceptions (e.g., vendor maintenance accounts needed for system recovery or continuity operations)
  • (8) Require that all non-administrator accounts have strong passwords that contain letters, numbers, and special characters, be changed at least every 90 days, have a minimal age of one day, and not be allowed to use the previous 15 passwords as a new password. These values can be adjusted based on the specific business needs of the organization
  • (9) Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time
  • (11) Monitor attempts to access deactivated accounts through audit logging
  • (12) Configure access for all accounts through a centralized point of authentication, for example Active Directory
  • (13) Profile each user’s typical account usage by determining normal time-of-day access and access duration
  • (14) Require multi-factor authentication for accounts that have access to sensitive data or systems. Multi-factor authentication can be achieved using Smart cards with certificates, One Time Password (OTP) tokens, or biometrics
  • (15) For authenticated access to web services within an enterprise, ensure that account usernames and passwords are passed over an encrypted channel
  • (16) Configure all systems to use encrypted channels for the transmission of passwords over a network
  • (17) Verify that all password files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system
DirectControl and DirectAuthorize

  • Consolidates non-Windows user identities in Active Directory so that all accounts can be centrally managed using existing automated tools and processes
  • Allows Active Directory password and account policies to be applied to accounts on non-windows machines
  • Group Policy provides a secure and automated method for centrally managing security and configuration settings, including default screen lock rules
  • Restricts access methods and privileges based on job role, including temporary vendor roles with date & time restrictions
  • Enforces least-privilege rights management by limiting users and roles to a specific set of commands
  • Supports smart card authentication for Mac & Linux workstations
  • Sets up authenticated and encrypted connection between Active Directory and managed systems to protect the movement of authentication, policy and audit data
  • Allows Unix and Linux web servers to use Active Directory authentication, authorization and Kerberos ticketing

DirectAudit

  • Enables both real-time and historical monitoring of user sessions, and features robust search and reporting capabilities
  • Captures complete session details: who accessed the system, what commands they entered, and the system output

DirectSecure

  • Secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.
  • Leverages AD to seamlessly block untrusted systems from communicating with trusted systems.
CSC 17-7: Data Protection

  • Move data between networks using secure, authenticated, and encrypted mechanisms
DirectSecure

  • Secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion.
  • Leverages AD to seamlessly block untrusted systems from communicating with trusted systems.
CSC 20-2: Penetration Tests and Red Team exercises

  • Any user or system accounts used to perform penetration testing, should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over
DirectControl and DirectAuthorize

  • Restricts access methods and privileges based on job role, including temporary Testing roles with date & time restrictions

DirectAudit

  • Enables both real-time and historical monitoring of user sessions, and features robust search and reporting capabilities
  • Captures complete session details: who accessed the system, what commands they entered, and the system output

I began in part 1 of this blog discussing the security vs. compliance debate, and why it’s important to implement solutions that increase both. Along the way we took a look at three different sets of security controls and how the Centrify Server Suite addresses the requirements within each of them. I’ve also discussed the practical sense aspect of keeping your security healthy, and how it’s the details that affect improvements, not generic statements.

A common thread throughout has been the understanding that IT Security folks know they need to get more secure and compliant with less resources, but where does one begin? A good starting point is the Centrify Server Suite and the three standards we’ve discussed. You can view it like this: NIST 800-53 is the compliance mandate that is your overall guideline, the SANS Top 20 Security Controls is the practical checklist of what works, and DHS CDM is a federal security alliance which aims to strengthen each member’s IT security. In keeping with the previous fitness metaphor, Centrify is the exercise equipment that improves your IT Security health. So my prescription for you is to get the Centrify Server Suite and start checking off items on the SANS list in preparation for your NIST 800-53 compliance review, knowing that you’re fulfilling a majority of the membership requirements for DHS CDM.

Security Controls with Centrify