This is Part 15 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here:
- Part 1 - we looked at Inventory of Authorized and Unauthorized Devices.
- Part 2 - we looked at Inventory of Authorized and Unauthorized Software.
- Part 3 - we looked at Secure Configurations.
- Part 4 - we looked at Continuous Vulnerability Assessment and Remediation.
- Part 5 - we looked at Malware Defenses.
- Part 6 - we looked at Application Security.
- Part 7 - we looked at Wireless Access Control.
- Part 8/9 – we looked at Data Recovery and Security Training.
- Part 10/11 - we looked at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services.
- Part 12 - we looked at Controlled Use of Administrative Privileges
- Part 13 - we looked at Boundary Defense
- Part 14 - we looked at Maintenance, Monitoring and Analysis of Audit Logs
Now we are taking on Controlled Access Based on the Need to Know.
15-1 - Locate any sensitive information on separated VLANS with firewall filtering. All communication of sensitive information over less-trusted networks should be encrypted.
Know of any?
- Varonis - Shows where in file systems sensitive data resides, who has access to it, who should and shouldn't have access to it, who uses it, who owns it, and where is it over exposed.
- Netwrix Auditor - Change auditing and reporting for IT systems.
- Compare the two - Don't you just love it when both vendors do a point counterpoint on each other? Everyone benefits!
15-2 - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data.
See part 14 for logging tools
15-3 - Segment the network based on the trust levels of the information stored on the servers. Whenever information flows over a network with a lower trust level, the information should be encrypted.
- Domain Isolation - While not a single tool, it is a common best practice to separate your network into zones and define higher security standards for zones that contain sensitive data using IPsec. Intro to Domain Isolation.
15-4 - Use host-based data loss prevention (DLP) to enforce ACLs even when data is copied off a server. In most organizations, access to the data is controlled by ACLs that are implemented on the server.
- Windows Server 2012 - Data Classification Infrastructure (DCI) allows you to classify data if it contains content you specify as a certain classification (SSN = high), then applies rules to certain levels of classification (do not copy/print, encrypt, etc..).
- Digital Guardian - Classify files as they are created and create rules on what to do with certain classifications.
About the Author:
Rich Johnson is currently a Systems Security Administrator with 15 years of professional experience working in IT (more if you count the years programming in Basic on the Commodore 64 and repairing Nintendo consoles as a child). Rich has a bachelor degree in Information Technology, but feels his real knowledge has been gained through hands on experience, exploring security tools, and attending various security conventions. Rich currently resides in Utah and is probably learning some new interesting thing at this moment.