SANS Critical Controls 17, 18 and 19: Data Loss Prevention, Incident Response and Management, Secure Network Engineering
- Aug 22, 2013
- Michelangelo Sidagni
In this installment of our SANS 20 Critical Security Controls, I bundled three controls together simply because they are very much procedural in nature. I will explain how NopSec Unified VRM solution can help in implementing these three controls.
Data Loss Prevention control has recently jumped on most organizations CISOs’ radarscreens because of the whistle-blowing revelations on NSA by Mr. Snowden. It is paramount for every organizations to prevent leakage by employees of confidential information to the outside world. Most of the work for setting up this control needs to be done in setting up an information classification program, cataloging the information in various categories based on their sensitivity and importance for the organizations. Once the information classification is in place, a “need-to-know” program needs to be established to tune the organization’s access control policies to the employees roles and responsibilities. Once this has been done, a data leakage prevention technical control needs to be set up at the gateway so sensitive information are not leaked onto the outside world.
Unified VRM can help in this process with its internal assessment module which appropriately configured with a customized scan template, can help finding confidential and sensitive information such as credit card information and social security numbers. The same thing can be accomplished with the web application assessment module which can help finding sensitive information in web applications. Both methods mentioned above work both with or without credentials.
Security Incident Response and Management is a very important procedure to make sure that security events and incidents are appropriately mitigated, escalated and investigated. No intrusion detection, prevention or SIEM system can substitute a well-structured incident response procedure.
Unified VRM can help in mimicking the most advanced penetration testing techniques which are instrumental in testing security incident response procedures. A well-structured vulnerability management / penetration testing process can help customize the incident response procedures to meet the organizations’ business goals.
Every security control alone cannot prevent advanced intrusion techniques without a well-structured engineering of the organization’s networks, both wired, wireless and mobile. Networks need to be appropriately segmented and separated with VLANs and firewalls to protect segments that contain sensitive information. Web applications layered architecture need to be appropriately structured to prevent the various layers to be compromised independently. Network devices (routers and switches) needs to be appropriately configured eliminating default passwords and credentials. Switches need to be appropriately configured to prevent ARP cache poisoning attacks. Firewalls need to be patched for vulnerabilities and configured to allow through only ports that have a business justification.
Unified VRM with its external, internal, configuration and web application modules can help testing network infrastructure, firewalls, web applications, application gateways, SOCKS proxies, and RADIUS servers against security misconfigurations and vulnerabilities. Also, the wireless and exploitation modules can mimic exploitation techniques on wired and wireless networks as the ultimate test of an appropriate network security architecture.
Learn more about NopSec’s approach to penetration testing. Best Practices Guide: Penetration Testing.