SANS Institute – CIS Critical Security Controls #computer #security #training, #network #security, #information #security, #security

No Comments


CIS Critical Security Controls

The CIS Critical Security Controls for Effective Cyber Defense

The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work – NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation’s top forensics and incident response organizations – to answer the question, “what do we need to do to stop known attacks.” That group of experts reached consensus and today we have the most current Controls. The key to the continued value is that the Controls are updated based on new attacks that are identified and analyzed by groups from Verizon to Symantec so the Controls can stop or mitigate those attacks.

The Controls take the best-in-class threat data and transform it into actionable guidance to improve individual and collective security in cyberspace. Too often in cybersecurity, it seems the “bad guys” are better organized and collaborate more closely than the “good guys.” The Controls provide a means to turn that around.

SANS Supports the CIS Critical Security Controls with Training, Research and What Works

To support information security practitioners and managers implement the CIS Critical Security Controls, SANS provide a number of resources and information security courses.

Information Security Resources

  • NewsBites: Bi-weekly email of top news stories with commentary from SANS Editors. View recent editions Subscribe
  • Whitepapers: Research from SANS instructors and masters students. Download the latest papers related to the Critical Controls
  • Webcasts: Topical content presented by SANS Instructors, vendors, and leaders in infosec security. View upcoming webcasts

CIS Critical Security Controls – Version 6.1

To learn more about the CIS Critical Security Controls and download a free detailed version please visit:

The SANS “What Works” program highlights success stories in cybersecurity – real examples of how real security teams have made measurable improvements in the effectiveness and efficiency of their security controls. While most of the press coverage focuses on breaches and other security failures, there are thousands of cybersecurity leaders quietly working hard and make advances against threats while enabling business and mission needs.

SANS expert John Pescatore interviews the end user and decision maker and produces a Q ?>

Things To Look For In Host-Based Intrusion Prevention #intrusion #prevention #system #software

No Comments


Host-Based Intrusion Prevention

Updated October 20, 2016

Layered security is a widely accepted principle of computer and network security (see In Depth Security). The basic premise is that it takes multiple layers of defense to protect against the wide variety of attacks and threats. Not only can one product or technique not protect against every possible threat, therefore requiring different products for different threats, but having multiple lines of defense will hopefully allow one product to catch things that may have slipped past the outer defenses.

There are plenty of applications and devices you can use for the different layers- antivirus software, firewalls, IDS (Intrusion Detection Systems) and more. Each has a slightly different function and protects from a different set of attacks in a different way.

One of the newer technologies is the IPS- Intrusion Prevention System. An IPS is somewhat like combining an IDS with a firewall. A typical IDS will log or alert you to suspicious traffic, but the response is left to you. An IPS has policies and rules that it compares network traffic to. If any traffic violates the policies and rules the IPS can be configured to respond rather than simply alerting you. Typical responses might be to block all traffic from the source IP address or to block incoming traffic on that port to proactively protect the computer or network.

There are network-based intrusion prevention systems (NIPS) and there are host-based intrusion prevention systems (HIPS).

While it can be more expensive to implement HIPS- especially in a large, enterprise environment, I recommend host-based security wherever possible. Stopping intrusions and infections at the individual workstation level can be much more effective at blocking, or at least containing, threats. With that in mind, here is a list of things to look for in a HIPS solution for your network:

  • Doesn t Rely On Signatures. Signatures- or unique characteristics of known threats- are one of the primary means used by software like antivirus and intrusion detection (IDS).The downfall of signatures is that they are reactive. A signature can t be developed until after a threat exists and you could potentially get attacked before the signature is created. Your HIPS solution should use signature-based detection along with anomaly-based detection which establishes a baseline of what normal network activity looks like on your machine and will respond to any traffic that appears unusual. For example, if your computer never uses FTP and suddenly some threat tries to open an FTP connection from your computer, the HIPS would detect this as anomalous activity.
  • Works With Your Configuration. Some HIPS solutions may be restrictive in terms of what programs or processes they are able to monitor and protect. You should try to find a HIPS that is capable of handling commercial packages off the shelf as well as any home-grown custom applications you may be using. If you don t use custom applications or don t consider this a significant problem for your environment, at least ensure that your HIPS solution protects the programs and processes you do run.
      • Allows You To Create Policies. Most HIPS solutions come with a pretty comprehensive set of pre-defined policies and vendors will typically offer updates or release new policies to provide a specific response for new threats or attacks. However, it is important that you have the ability to create your own policies in the event that you have a unique threat that the vendor doesn t account for or when a new threat is exploding and you need a policy to defend your system before the vendor has time to release an update. You need to make sure the product you use not only has the ability for you to create policies, but that policy creation is simple enough for you to understand without weeks of training or expert programming skills.
      • Provides Central Reporting and Administration. While we are talking about host-based protection for individual servers or workstations, HIPS and NIPS solutions are relatively expensive and outside of the realm of a typical home user. So, even when talking about HIPS you probably need to consider it from the standpoint of deploying HIPS on possibly hundreds of desktops and servers across a network. While it is nice to have protection at the individual desktop level, administering hundreds of individual systems, or trying to create a consolidated report can be nearly impossible without a good central reporting and administering function. When selecting a product, ensure that it has centralized reporting and administration to allow you to deploy new policies to all machines or to create reports from all machines from one location.

        There are a few other things you need to keep in mind. First, HIPS and NIPS are not a silver bullet for security.

        They can be a great addition to a solid, layered defense including firewalls and antivirus applications among other things, but should not try to replace existing technologies.

        Secondly, the initial implementation of a HIPS solution can be painstaking. Configuring the anomaly-based detection often requires a good deal of hand-holding to help the application understand what is normal traffic and what is not.

        You may experience a number of false positives or missed negatives while you work to establish the baseline of what defines normal traffic for your machine.

        Lastly, companies generally make purchases based on what they can do for the company. Standard accounting practice suggests that this be measured based on the return on investment, or ROI. Accountants want to understand if they invest a sum of money in a new product or technology, how long will it take for the product or technology to pay for itself.

        Unfortunately, network and computer security products don t generally fit this mold. Security works on more of a reverse-ROI. If the security product or technology works as designed the network will remain safe- but there will be no profit to measure an ROI from. You have to look at the reverse though and consider how much the company could lose if the product or technology were not in place. How much money would have to be spent on rebuilding servers, recovering data, the time and resources of dedicating technical personnel to clean up after an attack, etc? If not having the product may potentially result in losing significantly more money than the product or technology costs to implement, then perhaps it makes sense to do so.

        Show Full Article

      Categories: News Tags: Tags: , , ,

      File Integrity Checkers #information #security, #recruitment, #consultancy, #vulnerability #assessment, #intrusion #detection, #intrusion #prevention, #firewalls

      No Comments


      File Integrity Checkers

      When a system is compromised an attacker will often alter certain key files to provide continued access and prevent detection. By applying a message digest (cryptographic hash) to key files and then checking the files periodically to ensure the hash hasn’t altered a degree of assurance is maintained. On detecting a change an alert will be triggered. Furthermore, following an attack the same files can have their integrity checked to assess the extent of the compromise.

      NNT Change Tracker Gen 7 Popular

      1 reviews

      NNT Change Tracker Gen provides continuous protection against known and emerging cyber security threats in an easy to use solution, offering true enterprise coverage through agent-based and agentless monitoring options. NNT Change Tracker Generation 7 u .

      Vendor New Net Technologies

      Pricing Model Commercial

      Types of Intrusion Detection Systems #types #of #intrusion #detection #systems,intrusion #detection #systems,intrusion #prevention #systems,types #of

      No Comments


      Types of Intrusion Detection Systems (IDS)

      Posted by Lee Hazell + on January 27, 2015

      In the realm of information security, there is a saying that prevention is ideal but detection is a necessity. This is why architects design networks in such a way that perimeter components are able to identify, monitor and restrict traffic flows at the boundary. While firewalls are a key component of perimeter defenses, intrusion detection systems are also a necessity in today s environment. So, what are the different types of intrusion detection systems? And which are appropriate for your environment? By understanding types of intrusion detection systems, companies can identify the right technology investment for their organisation.

      The idea of intrusion detection systems is to identify anomalous activity on the network, either alert or take an automated action when identified, and to remember this type of activity and alert in future. Intrusion detection systems are key in current environments and now come as a component part of most next generation firewall devices. Let s look at the different types of intrusion detection systems.

      Host-based intrusion detection systems

      Host-based intrusion detection systems are utilised to monitor, detect and respond to anomalous activities identified on any given host. Host based intrusion detection systems allow policy management, forensics and analysis to take place at host level. The purpose of these systems is to identify anomalous activity on the host itself, that could be accesses to sensitive files or configuration changes. The host-based IDS system is integrated with the operating system as attackers will identify and exploit most vulnerabilities at the OS level.

      An advantage of host-based intrusion detection systems is that the host can be protected against known attacks. However, if the IDS system is installed on the host it has been known that attackers can circumvent controls and disable the IDS system or alter logs to cover their tracks. This can be mitigated by ensuring that the intrusion detection system is physically separate from the host e.g. on a separate device.

      Network-based intrusion detection systems

      Network-based intrusion detection systems are often installed on the perimeter of the network and essentially act as packet sniffers. Network based IDS can be implemented for the entire network or separate segments of it. It is common practice to use network based intrusion detection systems on high risk segments of the network i.e. where internet traffic is routed.

      Network based intrusion detection systems act as packet sniffers, analyses all traffic coming through the gateway and utilising specific metrics to measure this traffic. The IDS system will use policy defined metrics to analyse network protocols and determine if traffic represents anomalous activity.

      The drawbacks of network-based intrusion detection systems is that encrypted traffic can often not be inspected. A workaround for this is to break-out encrypted traffic, inspect and repackage. Numerous devices are capable of SSL breakout in the modern environment.

      Network based IDS systems can be design in a centralised or distributed manner. In a centralised manner, a singular, central device is used to manage and analyse all information from various IDS systems in the network. This essentially pulls all logs from various host and network based IDS systems on the network for centralised analysis. In a distributed architecture, the load is separated across numerous IDS systems using various agents. This is mainly used in a disperate environment.