Professional Documents
Culture Documents
my cs205
my cs205
1: Harden IT Asset
Pursue the 8 step hardening methodology
2: Periodic Validation
Check periodically (every quarter) for changes to the established standard or
baseline
Step 1:
8 step hardening methodology
Step 2: Research:
Look up google
Look for case studies and whitepapers
Other considerations:
Implement on test setup
Test the controls
Security testing tools
Perform third-party security testing (penetration testing)
Vendor best-practices for application security hardening
QUALYS POLICY LIBRARIES
IT Outsourcing
Mechanism to harden outsourced IT assets
Important considerations
IT Outsourcing examples:
Call centers
Hosted servers
Software development
Workstation helpdesk functions
Network services
Any other arrangement
Mechanism:
Information Security Policy
Vendor contract (right-to-audit clause)
Set up security project with security project manager
Periodic reviews
Penalties for non-compliance
Important considerations:
Enter security requirements into RFP
Part of vendor evaluation
Proceed with contract including InfoSec clauses
Awareness training
Security evaluations:
Include outsourced scope in periodic internal audit
Ask for third-party security review
Vulnerability assessment and penetration test (if applicable)
Spot security checks.
What is Vulnerability Management ?
What is a vulnerability ?
Vulnerability is a cyber-security term that refers to a flaw in a system that can
leave it open to attack. A vulnerability may also refer to any type of weakness in a
computer system itself, in a set of procedure or in anything that leaves information
security exposed to a threat.
1. Analyze Assets
Examine assets to scan
Gather details on IP subnet
Look at potential issues with network traffic
Inform asset owners and relevant department heads
2. Prepare Scanner
Set scanner parameters
Select type of scan
Look at credentials-based scan
Explore and research plug-ins
Do a test run
Coordinate with asset owner
3. Run Vulnerability Scanner
Run the automated scan
Monitor network performance degradation issues
Generate repor
4. Assess Results:
Evaluate results
Prioritize according to the risk level
Collate results for asset owners
Communicate the results and remediation timelines
5. Patch Systems:
Research vulnerabilities
Evaluate fixes and remediation method
Test the patches and fixes
Apply patches/fixes
Monitor results
6. Verify (Re-scan)
Re-scan to confirm that the vulnerability scanner gives a
positive report
Collate results of vulnerability scan
Report findings
Software is everywhere in IT
Software is being developed in a manner which leaves many defects which may
be exploited by attackers
Race to meet software deadlines with little emphasis on security
Result: insecure software
Gary McGraw, “trinity of trouble” for software security:
What is a patch ?
“A patch is a piece of software designed to update a computer program or its
supporting data, to fix or improve it. This includes fixing security vulnerabilities and
other bugs”.
1. Objective: Ensure visibility and control of all hardware devices connected to the
network.
2. Actions:
1. Develop and maintain a detailed inventory of all authorized hardware
devices.
2. Utilize automated tools to monitor and manage devices.
3. Implement policies to prevent and manage unauthorized devices.
1. Objective: Collect and analyze logs to detect and respond to security incidents.
2. Actions:
1. Centralize the collection of logs from all systems.
2. Use log management and analysis tools to identify suspicious activities.
3. Ensure logs are protected from tampering and stored securely.
8. Malware Defenses
1. Objective: Control and monitor the flow of information across network boundaries.
2. Actions:
1. Deploy firewalls, proxies, and other boundary protection devices.
2. Implement network segmentation to isolate sensitive data.
3. Monitor inbound and outbound traffic for suspicious activities.
1. Objective: Manage and monitor user accounts to detect and prevent misuse.
2. Actions:
1. Enforce strong password policies.
2. Implement account lockout mechanisms to prevent brute force attacks.
3. Monitor account activity for suspicious behavior.
1. Objective: Educate and train users on security policies, procedures, and best
practices.
2. Actions:
1. Develop and deliver regular security training programs.
2. Conduct phishing simulations and other awareness exercises.
3. Ensure users understand their role in maintaining security.
1. Objective: Secure the software development lifecycle and ensure applications are
free of vulnerabilities.
2. Actions:
1. Implement secure coding practices and standards.
2. Conduct regular code reviews and security testing.
3. Use application security tools, such as static and dynamic analysis.
1. Objective: Prepare for, detect, respond to, and recover from security incidents.
2. Actions:
1. Develop and maintain an incident response plan.
2. Conduct regular incident response drills and exercises.
3. Establish an incident response team and define roles and responsibilities.
By following these CIS Controls, organizations can systematically reduce their risk
and improve their overall cybersecurity posture.