This is Part 17 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here:
- Part 1 - we looked at Inventory of Authorized and Unauthorized Devices.
- Part 2 - we looked at Inventory of Authorized and Unauthorized Software.
- Part 3 - we looked at Secure Configurations.
- Part 4 - we looked at Continuous Vulnerability Assessment and Remediation.
- Part 5 - we looked at Malware Defenses.
- Part 6 - we looked at Application Security.
- Part 7 - we looked at Wireless Access Control.
- Part 8/9 – we looked at Data Recovery and Security Training.
- Part 10/11 - we looked at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services.
- Part 12 - we looked at Controlled Use of Administrative Privileges
- Part 13 - we looked at Boundary Defense
- Part 14 - we looked at Maintenance, Monitoring and Analysis of Audit Logs
- Part 15 - We looked at Controlled Access Based on the Need to Know.
- Part 16 - We looked at Account Monitoring and Control
Now we are taking on Data Protection.
17-1 Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.
- VeraCrypt - Fork of the TrueCrypt code. The devs claim they solved all the security concerns with truecrypt.
- Windows 8.1+ - Disk Encryptor, built into Windows. Can be controlled through GPO.
- BitLocker - Offered on Windows 7 Enterprise, and Windows 8, 8.1, 10 Professional
- FileVault - for Mac OSX
- Linux - Most modern OS deployment wizards will ask if you wish to encrypt certain areas or the full disk.
17-2 - Verify that cryptographic devices and software are configured to use publicly-vetted algorithms.
17-3 - Perform an assessment of data to identify sensitive information that requires the application of encryption and integrity controls.
Tools are covered here.
17-4 - Review cloud provider security practices for data protection.
This is more of a procedure when partnering with a cloud service provider (SaaS).
17-5 - Deploy an automated tool on network perimeters that monitors for certain sensitive information (i.e., personally identifiable information), keywords, and other document characteristics to discover unauthorized attempts to exfiltrate data across network boundaries and block such transfers while alerting information security personnel.
- opendlp - open source Data Loss Prevention suite of software
- MyDLP Community Edition - Comodo DLP solution
I will point you to the Gartner's Magic Quadrant for DLP systems 2014.
17-6 - Conduct periodic scans of server machines using automated tools to determine whether sensitive data (i.e., personally identifiable information, health, credit card, and classified information) is present on the system in clear text.
17-7 - Move data between networks using secure, authenticated, and encrypted mechanisms.
17-8 - If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained.
Refer to section 17-5 above.
17-9 - Use network-based DLP solutions to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them.
- Watchguard XTM - Prevents data breaches by scanning text and common file types to detect sensitive information attempting to exit the network. This is a subscription-based service.
- Barracuda - Barracuda Web Application Firewall scans outbound traffic to prevent theft and accidental exposure of credit card numbers, email addresses and other PII. It's available as an appliance, virtual appliance, and as a cloud service on Windows Azure and Amazon Web Services (AWS).
17-10 - Only allow approved Certificate Authorities (CAs) to issue certificates within the enterprise; Review and verify each CAs Certificate Practices Statement (CPS) and Certificate Policy (CP).
Once your organization has a whitelist of CAs, you can block users from installing 3rd party CAs via GPO.
17-11 - Perform an annual review of algorithms and key lengths in use for protection of sensitive data.
- Secure Hash algorithms - As approved by NIST. The menu on the left can be used for further info on approved encryption algorithms.
17-12 - Monitor all traffic leaving the organization and detect any unauthorized use of encryption. Attackers often use an encrypted channel to bypass network security devices. Therefore it is essential that organizations be able to detect rogue connections, terminate the connection, and remediate the infected system.
Many modern Firewalls (Open Source included) offer deep packet inspection, whereby you proxy all outbound HTTPS traffic through your device, which will decrypt the traffic, scan for data loss prevention (DLP) and re-encrypt before leaving the network. This requires that you import and trust the network device's Certificate on all client machines.
17-13 - Block access to known file transfer and e-mail exfiltration websites.
Know of any tools?
17-14 - Define roles and responsibilities related to management of encryption keys within the enterprise; define processes for lifecycle.
This is more of a process and procedure than a tool
17-15 - Where applicable, implement Hardware Security Modules (HSMs) for protection of private keys (e.g., for sub CAs) or Key Encryption Keys.