Bsides Delhi 2017 - CIS Critical Security Controls - Vikas Singh Yadav

How many of you have heard of critical security controls?

So, yeah, that means there's a start. I'll start off by telling you that I'll not, my talk is not as technical as the previous one. It's going to be a little more general. I'm going to try and tell you, brief you a little bit about critical security controls and also give you a brief on how you can use it for implementation, what are the advantages, how it compares with other frameworks and why should you adopt this approach and how it can be adopted right from a very small organization to a very large organization. I'll stand by.

I think that's the problem. But try and understand, it goes against the concept. You are actually having this, I suppose, a little one, primarily because agencies are demanding it, not because it's coming from the core. Like I was talking yesterday to a CISO, you were saying that I don't want to be driven by any cyber security guideline, I want security from the ground up. So now, how do you do that? I'll come back to my slides and then we'll come back to this conversation again. Anyone can tell me what this image is about? So this was a presentation where all these people from the US sat down and started wondering as to what was going on. But you can imagine sitting in a

boardroom across America trying to coordinate a war-like situation sitting thousands of kilometers away. So this is a perfect example of something called

fog of war. Fog of war basically means that there's so much going on, right from coordination to a drone strike, to communications, to moving around. So it's something which is very confusing. You don't know everything, but you're trying to make it, and there's no margin of error. So now, can anyone tell me this particular word, fog of water, is described to which person who originated this concept? Any guess? Try to think. I'll give you a hint. It's a word called German guy. Hitler?

Hitler is more of a theoretical... Any guesses? It's a very famous German strategist called von Klausowitz. He coined this concept called Fog of War, which meant that there is too much of fog in a war, there is too much going on and leaders have to make a decision timely and effectively to be able to go through this clutter. Why am I coming to this analogy is that today as security professionals we are also faced with a similar situation. A huge thing. There's risk management framework, there's vulnerability assessment, there's ransomware, there's a whole host of things. Two-factor authentication, new viruses, new malware is coming and you've got new solutions. Every conference you go to you find hundreds of new solutions popping in and out. That's

what is called a security forward more. So, you have lots of problems, lots of solutions but nothing which is simplifying it. ISO 27001 is one. But like recently I was going through one organization, ISO 27001 which I joined. Too many documents I couldn't make. I am trying to understand from state to the availability, which one should I start seeing first. Though, experienced practitioners may not agree with me but still. I, as a government servant, when I was in the government, I had a challenge that I had to implement security across a huge small organization, where we had multiple locations, multiple locations, a lot of various sites, we could not reach out, internet connectivity issues, so many other problems. So I wanted to find a solution.

So, this would give me some kind of clarity in this whole thing. So, for this, getting this kind of clarity, I kept searching. I thought I should be a 3.0 one, but first I had to buy this particular model, then I had to understand it. I really was not bothered, it's not necessary for us to certify ourselves to any organization. So, I was looking for some kind of a silver bullet, which was good to give me an answer. But, obviously there is no silver bullet. So, I turned to my old friend, old mom. I don't think you can really spend time on Ormog and give us a solution. So finally I came out with a simple yet effective solution. So simple, achievable, understandable, affordable

and also lots of different browsing. But finally I came to our top critical security controls. So my topic of today's discussion is effective cyber defense using scarce critical security controls. I'll just give you a brief of

So I'll try to give you an idea as to what is the critical security controls, how can you use it in your organization, and what best approach is available for implementing this particular solution.

A little bit about me. I am an information security professional. I have done my tech in computer science. I have done a SKU certification that most of the professionals also do. Besides that, I am an ex-retired Indian Army officer. I have been participated in a lot of operations in the Valley. I am also an information warrior, led to information security teams in the Army. And also I speak and write across various forums. Just to give you an idea, this is a brief view of what kind of beautiful place you can see when you are in the army or the other services. Coming back to the presentation. I will cover my presentation talking about what are we doing right now, why the CI-System Controls, what are the

top 20 controls, what are the top 5 and what are the benefits and how can you actually implement these controls. So firstly, are we doing enough? We have, in every organization you go, you have firewalls, we have SIEMs, your policies, you have audits, on top of audits you have regulations. Are you doing enough? And if you are doing enough, are we winning? Some might say that yes, we are, because number of incidents which are reported in India are less, but some might say no, because you have so many new barriers which are coming every day. So for example, recent classical example, Garnabit. Also, along with that, the implication. For the last attack which was there in Hidashi

and Malware, you had a classical example. If anyone of you has not heard, RBI has fined Yes Bank and IDFC for not complying with norms. These have security regulations. Their regulations were due of 6 crores and 2 crores. Not a friendly amount, huge amount. So this is against these regulations. Now I'm talking about big, small, large organizations. the big organizations here in this case. But in case of small organizations, they also affected very badly. So how do you go about doing this? That is where another example, medium time to discover incidents in the Asia-Pacific region, 520 days, very difficult. Worldwide, 146. It's a little old. I'll use the 2016 version, but I don't think it's much difference. That means still in the Asia-Pacific region and India in particular, the

time to discover incidents is quite large. So how do you go about reducing this? You have a host of measures, but CIS critical security controls can be one or the other. So what are these controls? These controls are technical controls selected and prioritized by a consensus. There is a separate society which is drawn about understanding what are the various attacks, what are the various solutions, and then bring about the key controls which could help you implement security in your organization. They are prioritized, well supported and supported. Now, I'll just give an example of why do you

Today we have risk management on one side, we have technical controls on the other side. But how do you bridge the gap? One of the conferences which I attended recently, one person came up at a conference and said it was just vulnerability patch which lasts, let's say, on a crime. The bio of the patch was there, so why wasn't it? Passed. But from a perspective, he really asked the audiences to Why can't you patch this particular vulnerability which is already existing and do it over in 2 to 4 months? Can anyone answer as to why was this organization not able to patch this? One particular thing is that some application may not work if the patch is

being updated. True. What else? Flexible 9.1. Anyone else?

Like a system that we have to do, yes. Sheer laziness. Yeah, laziness. But somehow I don't think if all of us are security members, I don't think you will agree that anyone in the security community is lazy. Cost is another factor. Yeah, cost could be a factor, but I don't think when you are getting the batch for free, implementation is an issue. You have more prioritization. Yeah, exactly. One of the reasons is prioritization. So now, until and unless, in the retrospect, when you talk about it, this WannaCry SMP Bank was very perfectly, easily batchable. How do you prioritize it? So, the nice speaker, he was a very prominent person, there were a huge hundred odd speakers. No one got up and told him

that, sir, the biggest problem is how do I prioritize? For a security practitioner on the ground, how do you prioritize between one batch and the other batch? You have to prioritize vulnerabilities and do it. It's not a simple solution. It's an art. As you keep working in an organization, then you develop this particular understanding as to do on retrospect every attack seems to have been a very simple solution. So you need to bridge this gap from where you are talking about risk management and you are talking about very key small vulnerabilities CVSS aspects and other things. For example that is where though I am not making fun but can anyone tell me what are the CISO of Picovax's CISO's email

he or she majored in which subject? Music. So I will just to generate your interest, if you are interested on. Small bit from my side. So I am not deriding the fact that the CISO was a music major. But the question is that what could they, was the CISO or the senior security leader, able to grasp this particular concept of security? What did they do? understand security in entirety and also then apply it on to their application. But the only application once it was done was the LinkedIn account of that particular CISO was from my email. So now in this context, how can critical security controls help us? Issues we are already aware of. But

now what did security controls do? There were a lot of expert volunteers. They decided that yes, These are the various controls which are available to us. Then they came upon about 20 top controls which if you could be implemented in an organization could help us out. And these are practical steps. They are not that you go through a huge risk management effort to be able to come up with a solution. I am not saying that ISO 27001 is bad or it's not suited. I am just saying that for a normal organization ISO 27001 or a disk framework could be an overkill. If you want to implement something very simply across an organization. So, the first aspect of understanding this AI security control is, it's a volume of knowledge

with 90 page media with pictures. It's the first document you should read if you want to understand such controls. It's not that I'm not going to tell you about it, but this is the main document which you could read on the site.

So, this is the main document which lists out all the controls and also brings out various aspects which are there in these controls.

How does it differentiate from the list or the ISO? I'll come to that. But I'll give you a small example. Firstly, if you want to implement, if you just wait for five minutes, I'll come to that answer also. Can anyone tell me who's set this particular application, learns from mistakes from others and you can't live long enough to make them all yourselves? Sorry, I showed it already. My mistake, I'm still fiddling with this. I don't know why. That is one answer. This framework is highlighting the main aspects of controls. The top five controls are expected to give you coverage for at least 90% of the attacks. So the top five controls which we will see later, these 20 controls will give you coverage. So now

it's a quick kill. One. And it is the, it is a kind of prioritized version that yes, if you do these top five things, you will be able to come up with a particular, at least reach

So, the core principles are firstly offense, informed defense. What they have done is that they have seen over time what are the various aspects which are there, what are the techniques which the various attackers are using and then use this knowledge of these attacks to actually formulate these controls. Second, prioritizing. They have prioritized these controls as per priority and then given this is the top five or the top ten, this is the top five. the order which you can go and protect your organization. Second, metrics. You can actually give a particular format and a metric in which you can rate. Let's say, this is a control, how much have I achieved? Out of the top 20 and the sub controls, how many have you

been able to achieve? And five different. Press. It don't mind if you press next, please.

Then continuous diagnostics and mitigation. And finally automation. They say that you should be automating most of these aspects to us to reduce human effort and error.

So, if you've got all of these sheets, I want to see if you've not seen because some of us have seen and leave them close apart. If you've seen The list of controls is listed. Can you spend two, three minutes and just both with the list of controls and list what are the top five which are there for your organization? If you're not on a pen, maybe you can just think about it and see.

I would say on the top because if I patch my entire environment, I can say 65% of the environment. We have second as

controlled access based on the analysis. Third one is Security skills, assessment and appropriate training. I would want to add that end user awareness is required. Email and web is brought up question. Malware of defense. Yeah, that's four. I think boundary defense has

to be... Is they saying boundary defense? Adversarial privacy is one. Yeah, secure configuration of this is one. Another good candidate for the top five. Control taxes. Data protection. Data protection is good. Incident management proved. But will incident management stop your top 25 top attacks? So please look at from this week. That's why I'm saying it's a quick kill. Initially and then you can amplify all the aspects.

So let's talk about vulnerability assessment penetration. That's the top topic. I think almost all security practitioners are involved in vulnerability assessment penetration testing. But truthfully telling you it's not part of the top five. Why? Because if you have, now I'm coming to the, let's see, I'll show you the top five. If anyone of you feels that he's made the maximum, I'll give him a prize. Please honestly tell me who's done the top five. I'm not going to do a check in with this thing, but just for... We can have a... Please be free to ask me whether or share your doubts. What are the top five, whether they are correct or not. If you're not inventory your hardware,

how will you protect one? For example, if you have a premium bring your own device to allow anyone access, then how will you go to protect? Second, if you do not, if you have already white listed the applications which could load, then again there is no chance of any other software running on it. Two, third, if you have secure configurations, which one lady mentioned there, for all your systems, difficult to implement, but yes, I'm just saying there's the thing, it's the top five, I'm not saying all of them easy to implement, If you are doing country-level assessment and remediation, sorry I missed it out, go on one of the parts. And finally, if you are not giving administrative privileges to the users, that will also come in

the top five. The Center of Veteranist Society says, if you do all these five, you stop 85 to 90 percent of the attacks. It's debatable. If anyone feels differently, you can share and say.

So, I said

one bad rabbit. So, this bad rabbit when it came, if you are not protecting the AD which is marker defense, so if it is not there, all these files, where does it come in? If you have white-listed your applications and you are not allowing any other application to run and you have a secure configuration for your system, then this malware would not run. Yes, that is true, but people can still download it somewhat.

You can control and buy place but you cannot protect everything. I absolutely agree with you. I am not saying it's perfect. I am just open to it. I wanted to give you an example, a very good example which what's your name please? Aastha. Aastha is given is that particular bad rabbit may not have been. Sorry I am not that included in the bad rabbits especially example to counter but I have been, yes there could be examples but at least 85 to 90% of the attacks could be stopped using these aspects. Sir, but one more question. Telling whitelisting is very easy. Like when you do an organization to a whitelisting, like some teams say, when you

go and ask them as audit compliance team, like what application do you want to whitelist? They give 10 applications to us. The moment you whitelist and tomorrow they come next week, sorry, sorry, we never said left to this thing. Like on a practical implementation, whitelisting may have huge pitfalls in this thing. I absolutely agree. But I'll give you small account. Take majority of the systems in government organizations For small businesses or even let's say our homes, you have, why do you get a system from HP, IBM and Dell which has administrative account running and most of other applications and they are allowing you to install everything. So when your son is working on a son or your father is working on an administrative account and they

are running everything, he is open to it. Similarly, a small business application, small business could identify and then work on its own. Similarly to the large organization, see it's a management by and finally. I agree, it's a framework, you cannot say, tell your management that you remove everything. But if you have to submit your examples, this particular application could be, again, sandboxed and run. One example, it could be run on a standalone system, could be run in a virtual environment. That's the possibility. So I'm just saying that there are other ways and means and other techniques which you can do together. But obviously you cannot, this is not a perfect implementation, an easy one.

That is where if you notice that most developed countries and applications are going in for automation. And why did this concept of single sign-on, actually directory is an outcome? Because you are talking about coordinating and orchestrating at least multiple large number of computers, multiple geographic locations, and still being able to maintain a simplised or a distributed kind of control. So it's not easy. That's the whole challenge. That's why we as security practitioners are there. So, these people are saying that this is the first five steps you take and I am not saying that you can take all these steps and become perfectly secure. But that's the challenge. But this is the first five steps that you could take to improve your organization differences. And you would have to move

towards it. If you are not automating your defect, that is one of the aspects. There is a way, there is a step which you have to take. So, automation step is to take. Because manually you cannot do it. And also you have to move towards it. So, these are the other controls. For example, monitoring of logs. Email and web browser questions, some of you have already mentioned malware defenses which is also very important. Data recovery capability especially in case of ransomware. Secure configuration for network devices also. Boundary defense as one person mentioned, data protection, wireless access control. I put security skills assessment and training that is because in the list because I still feel a lot

of people believe that people are still the biggest So, but it is also in India but if you do this file controls, the majority would be addressed. This is a map of all these various security controls.

Sorry, I missed out. Anyone got first, how many got the first file correct? Correct or nearest first? I got four out of the file. I am not saying that it is perfect, but it is not perfect, but it is a step to put that in. Now this is the kill chain which we talk about reconnaissance.

getting in, staying in and exploit that is there. So this chart depicts as to how each of these spiraling controls could actually stop this particular area. Like for reconnaissance, if you do these first four or five controls, you can stop or mitigate reconnaissance. And similarly, for various stages of the kill-shade, for example getting in, staying in and exploit, you can do various aspects also. Each of these

Critical Controls as sub-controls listed. For example, for this first Critical Security Control, it asks you to deploy automated asset inventory. It tells you to assign addresses using DHCP. It also ensures that you can, any kind of new acquisition which is in your organization, it goes to a process where the IT team gets informed about it. For example, even simple cases like single sign-on, there are a lot of examples where the employees have left, the HR is not informed, the ID team and you have a single sign-on which is being used again even after employees have left let's say 30-40 days ahead. So that process is you have to get. Why I am saying these controls are useful when you actually study this document is that let's say you are

using ISO 27001. So please do not leave it at the descriptive one, okay? You have to do this access control. What are the various steps in inventory control which you could do? So now there is an organization which has gone ahead and documented of the aspects which you could do in various defenses. So, you can, there are mapping of these controls to various frameworks also. For example, ISO 27001 or NIST or any of this. You will see those mappings and then see how you can implement this. And also see whether you have covered all the technical aspects or not. Because we have risk management framework but is there a connect between the risk management framework

and the actual security controls in place. So, this is just an example of how it tells What is the control, why is it critical and what do you need to do for these controls. It uses specific sub controls under each control.

And also gives you for example various control tools and procedures. So now it's got the nomality of it is not 20, it's also 198 sub controls inside that. And each control has 4-8 sub controls and they also categorize under foundational and advanced. The foundational means that initial what you could do and then Last is the little one, what you can go ahead and do.

For inventory of devices, I'll just go through these . Can you

please press next?

It also gives you a diagram as to how you can actually implement and how are your various aspects of your systems connected to implement a specific security control. For example, it talks about asset inventory database, how it connects to your active discovery system and a passive discovery system and how you can implement that. Inventory devices gives you a reason why identify all devices, document the inventory and keep the inventory current. Similarly for the next control.

For authorized and unauthorized software, you need to make a list of authorized software, try and do application-wide listing, use software inventory tools, and also use virtual machines and AirGap networks. Similarly for secure configuration, you need to have baseline configurations for secure software, and also have file integrity managers and configuration management tools for implementing this. Validity assessment is a continuous process. We need to keep automating validity assessment and patch management and also then monitor logs to see whether these things are working. And finally, also control user admin privileges. I am not going to all the various logs, 20 controls. I just covered the first file which I imported. And also you can study in this document further as to what are the various controls I added.

Now what are the benefits? Is risk phase in the sense that you can actually understand that what is the risk of your organization and then you see and decide as to which are the controls you are most likely to use. It's very simple because if you look at it one by one it's very easy to understand. And also it's based on reality that means it is based on the assumption that what are the various attacks happening and what are the controls which are used to mitigate them. And it's dynamic that means they keep changing the controls every year on year. And finally it's affordable, there's no price, you don't have to buy the ISO 2701

You don't have to do a certification. I know certification is important, but it has got these aspects also. Some additional benefits in terms of it's a solid platform to build your other standards on. If you want, if you're starting off in a security organization, it can be used to create a roadmap. You can do a gap assessment exercise and then a starting point also for those who don't know where to begin. You can just use the first five controls and do just basic cyber hygiene for a specific organization. But you need to answer such controls. certain aspects like what are my time to protect, what are my gaps, what are your priorities in organization and

also most importantly which we need to work more on in India is where can I automate it and how can your vendor partners implement it. As far as the implementation part is concerned, as I agree, as I told you earlier, it really depends on the environment which you have. You have to focus on areas which you are weakening. Do a gap analysis to see which are the aspects which you have implemented. It gives you at least a good checklist as to what are the various aspects, security aspects which you could do and what are the various ones which are missing.

Firstly, do the foundational aspects first and then take on the advanced one. Certain action steps which I would like you to do if you've understood this presentation. Please have a read at this CIS critical security controls document. The latest version is 6.1.

So, you can do a gap assessment, read certain implementation articles about them and also when you make a roadmap of your organization as to see what you can do best with it. Can you just show this one extra presentation. There is an initial assessment tool which is being made by an organization called Octiv. This is an excel sheet. What it does is that it lists down the various step roles. It says that for every organization you have a policy defined. Do you have a control implemented? Do you have a control which is automated? And is this control reported to the business or not? And based on this Excel sheet, it will give you a clear

dashboard of how security is made in your organization. So this is a good tool. It's from a website called Octave.com. If you just search for this tool, you'll be able to get it. It's just an Excel sheet, but very simple to feed it. You'll just take half an hour to populate it. And then it will give you a good nice parameter of how your system is looking at. How your security state is there based on the CIS benchmark. Sorry, I missed out. You can even start with various very...

Certain simple reference material which I wanted to show you was there's an alien vault in Optiv.com that got great made articles on very specifically on the critical security controls which are there, which you can use to implement these controls using both open source and commercial tools. So you can have a look at these articles also. The two websites which I'm referring to you are AlienVault and Optin. And also there are certain specific security assessments. If you're a big organization, you can use things like Tenables, Messes, which you can be used to implement properly the security controls You have always also to implement most of these controls for a big organization. Otherwise you can use various

open source tools also to implement these aspects.

Certain issues and concerns which are referring to in this particular example are that it is very technology sensitive. So it is not very risk focused. That means it doesn't immediately give you analysis. That is what you have to do initially. So it can be mapped with the risk management framework as Malayi was asking there. You can use this along with the risk management framework where you can implement the security aspects in a little more detail in a detailed manner. But it cannot substitute for proper risk management framework.

This I have already asked. That's all from my side. Any specific questions you may have as per this? I am also available later on for any questions which you want to know what is important. I am sorry I didn't deep dive into all these controls because the time was not committing but there is a lot of reference material on the net plus you can also email me. My email address is given online and there are certain references which are there. You can ask any questions which you may have on this. Sir, in accordance to implement the security

Which one is more vulnerable, the software configuration or the hardware configuration? It depends on what organization you are, but I would say that both are equally important. Because software configuration is easily implementable and easily comes out. But as you have seen with certain examples of router devices and other examples, there is by-fan security and all. So both are equally important from my perspective. But it depends on the organization where you are and what is your implementation.

I believe that using different techniques they all can be bypassed. So should data recovery be not one point to be included in your top five? See it's interesting that the assessment of the Central Internet Society after a very bad consideration and examples given by everyone. But I'm just saying that this would invariably cover majority of your

majority of your problems and majority of your attacks. But it's not cover all of them. But I'm not saying that if you do them, majority would be covered. But it is not a perfect solution. That's why we are here as security practitioners to prioritize and figure out what is important and then be able to decide what is there. Just to add this point is important but it's a reactive step. After the incident happens, this would come into play.

Any more questions? Your CS security framework recommends the usage of

some tools So is there any recommended tools, what type of tools can be used from available market? Is there any reference which you can give? What to do is not specifically tell you which tool to use. But as I give you an example, you can start with, if you are a large organization, you can start with Tenables. There's one example which covers all the various security controls and maps. each and every aspect. Then you have Polis also has a particular security suit of products. And also if you go to AlienWorld, AlienCalls OSIM and their suit of USM tools also helps you implement these various security controls. Plus you have also two references which I gave. One is Octave.com and AlienWorld. They have got

articles which will give you examples of very specifically of both open source and commercial tools which are available which you can If you send me a mail, I can reply back and tell you which will give you reference to the JavaScript. Any other questions? Are these CIs controls relevant also for the cloud? Yes. For example, I was recently reading yesterday that you can use these controls on a cloud environment also. You need to customize them for them. But you could also use cloud security alliances, a star methodology also. But if you use this concept, there have been customizations of the CR critical controls for the cloud environment also. But it's just that it will vary

depending on what you use. If you're using AWS or you're using Google or you're using Azure platform, you can customize it and use it for the cloud environment. And how is it for Corbett and other advanced? You can take a mic so that everyone can. And how about the Corbett and other online speakers? I didn't get you. You said it also can be stretched to like Corbett and all also.

Yeah, it can map to COBIT also. But see, COBIT is more of an IT framework. This is more of a security standard which is described for telling you the respective controls. But it maps well to various specific security controls, the ISO 70001 and also NIST framework. And COBIT also, I believe, the various sections can be mapped. But COBIT is more of IT governance. And this is more of on-ground security technology-centric framework.

So for example, what you could do is, let's say you already have ISO 27001 implemented. So you can use the mappings to check that yes, is there any gap between my ISO 27001 implementation or it is just been nicely made for an audit environment. Okay, fine. There's a big fork consulting firm. It's going to come nicely audit by what you set of documents. They also do specific things and then check it. But your attacker or your guy is not looking for your audit certification. He is looking for rules and gaps. That is where you would come in to understand as to where as a security practitioner be able to say that yes, if you are doing inventory, are you doing inventory? Yeah, well. And now these security controls

are well listed, documented, which tells you at least the top Now, five, six things which you should need to do under every head as to what you should do. And also, the biggest aspect which I was not able to pick out entirely was automation. It says that to reduce human effort, we need to automate various aspects. That gives you examples of automation also. For example, right from hardware inventory automation, where in the new device is plugged in, it upgrades your asset inventory to software inventory environment and also it's other aspects also. I think the time is running out. We can have the questions. or flight in a steam break or lunch break. And we are very thankful to Mr. Vikas Singh for giving a very engaging

presentation and talk to our audience. Now I request Mr. Dineen, the vendor, to have a small coca appreciation for the science news.