Achieving SANS 20 Critical Security Controls with Unified VRM

Recently I got the chance to spend a little more time examining the SANS 20 Critical Security Controls for a customer engagement. I was familiar with these 20 critical security controls but for this engagement I spent a little more time analyzing their content.

Recently I got the chance to spend a little more time examining the SANS 20 Critical Security Controls for a customer engagement. I was familiar with these 20 critical security controls but for this engagement I spent a little more time analyzing their content.

From this exercise, an idea came into my mind to try to map those 20 critical security controls with the Unified VRM system. Obviously, Unified VRM is a Vulnerability Risk Management solution and not a silver bullet covering every single control in the 20 critical security controls list. However, a lot of Unified VRM functionality can be easily mapped to that list. But let’s start with a definition.

After the definition, we will talk about how to map the first control in the SANS list with the Unified VRM system. We will address one control on each blog post. We are starting today with the first control on “Critical Control 1: Inventory of Authorized and Unauthorized Devices”

SANS “20 Critical Security Controls” definition

The definition of the SANS “20 Critical Security Control can be found here.

This is the definition:

“The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “What Works” – security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in “measured” security risk through the rigorous automation and measurement of the Top 20 Controls.”

Here you can find a brief history of the SANS “20 Critical Security Controls”: https://www.sans.org/critical-security-controls/history

Critical Control 1: Inventory of Authorized and Unauthorized Devices

When talking about vulnerability management, I always tell companies I work with that before protecting, they would need to know what to protect. That means taking an inventory of their Internet exposed, internal, infrastructure and mobile assets. Only then they can protect them. Furthermore, when we scope our our penetration testing engagements we often ask the questions: “how many hosts do you have in your DMZ? How many hosts do you have in your internal networks?”. Most often than not, the people do not know the answers to this questions because they have no idea how many assets they have under protection.

Unified VRM makes it easy to take an inventory of your authorized and unauthorized devices in your networks.

The asset ranges are entered in the back end to have as much control as possible of the asset under management / assessment. We tend to include IP address range to be most comprehensive in our detection regardless of whether the assets are live or not.

Unified VRM has also a specific navigation tag called “Assets” to help visualize graphically the assets under management, including detailed OS fingerprinting, asset fingerprinting, asset tags and business impact, open ports and latest risk score.

A way to inventory live assets out of IP address range is to ping scan a network to detect responding live hosts. Fortunately Unified VRM works in close cooperation with the de-facto standard in network mapping, the nmap network scanner. Prior to launching a network scan, the scan configuration template can be modified so that:

1. For external scan, ICMP ping scan is disable since it would only be deflected by the external firewall.

2. For internal scan, ping scan can be enabled with ICMP, TCP ping scan, and ARP scan. Also in the nmap configuration, OS fingerprinting, Service Fingerprinting and RPC scan can also be enabled.

For web applications the same can be done by doing TCP applicative ping against port 80 and 443.

For wireless networks, Unified VRM wireless module helps performing wireless network site survey detecting company-owned access points and rogue access points.

In the next installment of this series of blog posts on the SANS 20 Critical Security Controls we will addressing how to map the “Critical Control 2: Inventory of Authorized and Unauthorized Software” to Unified VRM.

For more information on NopSec’s approach to vulnerability management, please see Best Practices Guide: Vulnerability Management