Technical Implementation of NIST/FFIEC CSF – Detailed Hardening

and Vulnerability Management Techniques

Jeff Roth, CISSP-ISSEP, CISA, CGEIT, QSA

Regional Director

NCC Group Security Services

Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.

Agenda

• Introduction

• NIST/FFIEC CSF Foundations

• Evolving Threat Landscape

• Cyber Security & Information Security

• What is the question?

• What Happens If We Don’t Get It Right?

• Why NIST CSF?

• NIST CFS Verses FFIEC CSF Crosswalk

• NIST/FFIEC Maturity Model

• Output from CSF

Copyright © 2017 Information Systems Audit and Control Association, Inc. All rights reserved.

Agenda

• NIST/FFIEC CSF Technical Controls For Discussion

• Security Content Automation Protocol (SCAP) scans

• Mobile Code controls (ActiveX, Applets, Servlets, etc.)

• File Integrity Management via open source tools (OSSEC)

• Summary Output from CSF

• Questions and Answers

Introduction

• This session will be moving a fast pace based upon the time allotted

• The content is an overview and requires much deeper research, discussion and practice to truly implement the National Institute of Standards and Technology/Financial Institutions Examination Council's (NIST/FFIEC) CSF practices

• However, the intention is to both inform and motivate you in considering the benefits that can be realized and level of effort required when adopting the NIST/FFIEC CSF.

NIST/FFIEC CSF Foundations

The Evolving Threat Landscape

Cybersecurity & Information Security

Traditional Information security

• Involves protecting Data or Information Assets from unauthorized access, use, disruption, modification or destruction, regardless of whether the information is stored electronically or physically.

• Tends to be defense-centric and helps better understand your organization so that you can defend it.

• Information Security questions usually begin with "what are my valuable digital assets and how can we protect them”?

Cybersecurity & Information Security

Cybersecurity -

• Subset of the larger area of information security.

• Cybersecurity is primarily aimed at addressing risks originating from internetworked system and cyber-space (e.g. these networks and internet).

• Cybersecurity tends to be threat-centric and helps you understand how attackers operate so that you can stop them.

• Cybersecurity will usually start out with the question “who wants to harm what’”.

What is the Question?

If we don’t get it right…..

Why NIST CSF?

• Recognizing that the national and economic security of the United States depends

on the reliable functioning of critical infrastructure.

• Provides a prioritized, flexible, repeatable, and cost-effective approach that

organizations can use to manage cybersecurity-related risk.

• Tailor to your organizational environment security requirements.

NIST CFS Verses FFIEC CSF Crosswalk

NIST/FFIEC Maturity Model

Outputs

• Define the current, ‘as is’ information security posture.

• Assess the current information security control maturity level.

• When agreed to Operational Threat Modeling - identify high risk areas.

• Review the compliance requirements of the organization.

• Present recommendations to improve the organization’s information security

maturity level.

NIST/FFIEC CSF Technical Controls for Discussion

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained

Maps to –

• FFIEC IS.B.1.3

• FFIEC IS.B.13

• FFIEC IS.B.56

• FFIEC IS.B.61

• FFIEC IS.WP.I.4.1

• FFIEC IS.WP.II.C.1"

• NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10

• Let’s talk about Security Content Automation Protocol (SCAP) scanning to benchmarks…do you have “Gold Standard/Image” for:

• Platform OS?

• Network Products?

NIST/FFIEC CSF Technical Controls for Discussion

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained (continued)

What Benchmarks? - https://web.nvd.nist.gov/view/ncp/repository

What SCAP tools are you using?

Here are examples: https://nvd.nist.gov/scapproducts.cfm

LIVE DEMO - Let’s Run SCAP against

Linux and Windows…

(this is against my local machine)

NIST/FFIEC CSF Technical Controls for Discussion

DE.CM-5: Unauthorized mobile code (aka Portable Executables) is detectedDo you think we also want to block, quarantine, or alerting of administrators and users?

Maps to –

FFIEC IS.B.33

FFIEC IS.B.39

FFIEC IS.B.55

FFIEC IS.WP.I.4.1

FFIEC IS.WP.II.B.10

NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44

• What’s the issue? “Mobile code, such as a Java Applet (used as an example during this presentation) , is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant”.1

1 Unsafe Mobile Code https://www.owasp.org/index.php/Unsafe_Mobile_Code, 12/01/2015

YES

NIST/FFIEC CSF Technical Controls for Discussion

• DE.CM-5: Unauthorized mobile code is detected (continued) 1

• Verify Intrusion Detection and Prevention signatures exist that monitor for unauthorized mobile code as it traverses the network

• From the perimeter down to the endpoints -Blocking, quarantine, or alerting administrators

• Preventing transmission of word processing files with embedded macros when such macros have been defined to be unacceptable mobile code.

• Emails with attachments containing java scripts

• Interaction with Web sites

NIST/FFIEC CSF Technical Controls for Discussion

DE.CM-5: Unauthorized mobile code is detected (continued) 1

• Sandboxing and signing mobile code –Through the use of the java interpreter integrated within the web browser (IE), you can accomplish a few key things:

• Prevent execution to affect operating system functionality

• Only allow trusted (signed java scripts)

• Enable a deny all with exceptions to only allow mobile code from specific sites

• What are some of the remaining risks?

NIST/FFIEC CSF Technical Controls for Discussion

DE.CM-5: Unauthorized mobile code is detected (continued) 1

• We must have developers training in secure code development to, at a minimum, address OWASP, CERT and/or SANS CWE mobile code issues (examples below):

• Access Violation-Returning a private array variable from a public access method allows the calling code to modify the contents of the array, effectively giving the array public access and contradicting the intentions of the programmer who made it private.

• Dangerous Array Declaration –Normally an array declared public, final, and static is a bug. Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. In most situations the array should be made private.

1 Unsafe Mobile Code https://www.owasp.org/index.php/Unsafe_Mobile_Code, 12/01/2015

NIST/FFIEC CSF Technical Controls for Discussion

• DE.CM-5: Unauthorized mobile code is detected (continued) 1

• Dangerous Public Field - All public member variables in an Applet and in classes used by an Applet should be declared final to prevent an attacker from manipulating or gaining unauthorized access to the internal state of the Applet.

• Public finalize() Method - A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finialize(). The error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke one of your finalize() methods because it is declared with public access. If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.

1 Unsafe Mobile Code https://www.owasp.org/index.php/Unsafe_Mobile_Code, 12/01/2015

NIST/FFIEC CSF Technical Controls for Discussion

DE.CM-5: Unauthorized mobile code is detected (continued) 1

What Controls do I implement?

1. Configure Anti-malware to Block, Quarantine or whitelist portable executables/mobile code

NIST/FFIEC CSF Technical Controls for Discussion

DE.CM-5: Unauthorized mobile code is detected (Continued)1

What Controls do I implement? (continued)

2. Sandbox, sign and fully contain the impact of mobile code

NIST/FFIEC CSF Technical Controls for Discussion

DE.CM-5: Unauthorized mobile code is detected (Continued)1

What Controls do I implement? (Continued)

3. Secure Coding - Use encapsulation

Design

• Separate internal administrator's functions from external users' functions

• Differentiate between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.

• In a web browser ensure that your mobile code cannot be abused by other mobile code.

Implementation

Hide internal details of a class, including data and methods, using private access modifier.1 Unsafe Mobile Code https://www.owasp.org/index.php/Use_encapsulation, 04/07/2009

NIST/FFIEC CSF Technical Controls For Discussion

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

Maps to –

•FFIEC AUD.B.1

•FFIEC IS.WP.II.B.15

•FFIEC D&A.WP.13.1"

•NIST SP 800-53 Rev. 4 SI-7

Check Status -/var/ossec/bin/ossec-control status• ossec-monitord is running…

• ossec-logcollector is running

• ossec-syscheckd is running• ossec-analysis is running

• ossec-maild is running

• ossec-exed is running

NIST/FFIEC CSF Technical Controls for Discussion

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity (continued)

• OSSEC base configuration basics -Default location \var\ossec\etc

Does this match the system CONOPS, Inventory, Dataflow diagrams?

NIST/FFIEC CSF Technical Controls for Discussion

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity (continued)

For Windows agents, add this:

<active-response>

<disabled>no</disabled>

</active-response>

The Windows agent executable is just an archive. Open it with 7zip to edit files at will!

NIST/FFIEC CSF Technical Controls for DiscussionPR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity (continued)Setting the configuration to analyze the following logs (example for LINUX):

--/var/log/auth.log

--/var/log/syslog

--/var/log/dpkg.log

If you want to monitor any other directory and file, just change the ossec.conf and add a new localfile entry.

<!--Directories to check (perform all possible verifications) -->

<directories report_changes="yes“ realtime="yes“check_all="yes">/etc,/usr/bin,/usr/sbin</directories>

<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories

Let add

<directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check /var/www so you can monitor html files

NIST/FFIEC CSF Technical Controls for Discussion

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity (continued)

Example of things to check –

- Frequency of scans

In the <syscheck> section of ossec.conf, which starts like this:

<syscheck>

<!--Frequency that syscheck is executed -default to every 22 hours -->

<frequency>79200</frequency>

•Alerts for new file creation. Add the line <alert_new_files>yes</alert_new_files> so that it reads like this:

<syscheck>

<!--Frequency that syscheck is executed -default to every 22 hours -->

<frequency>79200</frequency>

<alert_new_files>yes</alert_new_files>

NIST/FFIEC CSF Technical Controls for Discussion

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity (Continued)•Rule ID Range General Category (excerpt as examples)

•00000–00999 Reserved for internal OSSEC HIDS rules

•01000–01999 General syslog rules

•02100–02299 Network File System (NFS) rules

•02300–02499 xinetd rules

•02500–02699 Access control rules

•02700–02729 mail/procmail rules

•02800–02829 smartd rules

•02830–02859 crond rules

•02860–02899 Mount/Automount rules

•03100–03299 Sendmail mail server rules

•03300–03499 Postfi x mail server rules

Summary

• With the integration of NIST CSF within Financial Institutions examination requirements, a sea change in both IT governance and cybersecurity has arrived.

• While not covered within this presentation the Security and Exchange Commission and the Federal Deposit Insurance Corporations have also adopted their own version of the NIST CSF.

• The framework is driving organizations to truly address Cybersecurity in a holistic manner recognizing that compliance alone does not equal an organization’s real world Cybersecurity posture.

• CSF looks at Cybersecurity as “Security in Breadth” not just “Security in Depth” and is to be tailored to the organization based more objective risk based threat modeling.

Summary

• Risk and threat modeling is a living and changing process that changes with each organizations operations, threat actor motivations, geopolitical situations everyday.

• The CSF draws from recognized Cyber security engineering practices (not one off ideas) – ISO 21827 System Security Engineering Capability Maturity Model.

• The CSF drives organizations to either to have technical expertise in house or acquire needed expertise to establish and maintain an adequate Cybersecurity posture. No more excuses the CSF has broken this down into a simple actionable framework.

• So what’s in your security program?

Questions?

Thank you!

Jeff Roth, CISSP-ISSEP, CISA, CGEIT, QSA

321.795.0391

jeff.roth@nccgroup.trust