GDPR Is Coming. Is Your Organization Ready?

On May 25th of 2018, the General Data Protection Regulation (GDPR) goes into effect. This is a law passed in 2016 by the member states of the European Union that requires compliance with regard to how organizations store and process the personal data of individual residents of the EU. Now maybe you are thinking that this regulation does not apply to your organization because it is not based in the EU. Don’t stop reading just yet.

From underdog to influencer: the dramatic transformation of the IT team

IT has emerged as a business enabler in the UK; recent research from ManageEngine reveals that UK companies are excelling at aligning their overall business with IT. While business professionals working outside of the IT department are reportedly exhibiting strong IT knowledge, IT managers are also showing a greater understanding of their business as a whole. The survey results gathered from over 200 IT decision makers should be welcome news for UK businesses striving to increase performance and efficiency.

Simpler, Smarter Security With Intelligent Orchestration

Cyberattacks are growing more frequent, sophisticated and damaging, and organizations have invested hundreds of billions of dollars into arming themselves to fight back. This has led to new challenges, since today’s complex security environments and processes — or lack thereof — often hinder timely and effective response to attacks.

20 CIS Controls – Control 2: Inventory and Control of Software Assets

Today, I will be going over Control 2 from version 7 of the top 20 CIS Controls – Inventory and Control of Software Assets. I will go through the 10 requirements and offer my thoughts on what I’ve found.Key Takeaways for Control 2Let Control 1 be a driver. Only attempt to scan hardware that is already in your asset database. If a system isn’t in the asset database, revisit Control 1 to figure out why.Reuse existing tools. Many of the tools you are going to be using for Control 1 are going to be used for Control 2. There’s no sense to not treat these two controls as one when you are looking at how to implement them.Start cheap. Along the same lines of re-using tools, many of the requirements can be accomplished with open source or built-in tools. That being said, as your organization grows, you will also outgrow the capabilities of these free tools.Requirement Listing for Control 21. Maintain Inventory of Authorized SoftwareDescription: Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.Notes: Creating a list from scratch in a large enterprise can seem difficult to do. As I’ve mentioned in other controls, it may be easier to start with a baseline of what currently exists (requirement 3 below) and work on noting which software on the list is approved. While you also monitor for new software in your environment, of course.2. Ensure Software is Supported by VendorDescription: Ensure that only software applications or operating systems currently supported by the software’s vendor are added to the organizations authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.Notes:3. Utilize Software Inventory ToolsDescription: Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.Notes: Using a File Integrity Monitoring tool such as Tripwire Enterprise can scan the environment for new software. Let automated tools like these be the driver for populating your inventory databases.4. Track Software Inventory InformationDescription: The software inventory system should track the name, version, publisher and install date for all software, including operating systems authorized by the organization.Notes: If you’re using a tool mentioned in requirement three above, then you should be able to track most if not all of the items in this requirement. A snapshot of an operating system may not be able to gather install date, depending on how the data is collected. In that case, it’s best to continually scan systems and track results over time.5. Integrate Software and Hardware Asset InventoriesDescription: The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.Notes: Some tools, such as vulnerability management products like Tripwire IP360, have a dual purpose to both scan the environment for new devices as well as take inventory of what is running on them. For more single purpose tools, make sure they are plumbed to integrate with asset management systems so you can keep data in a single repository.6. Address Unapproved SoftwareDescription: Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.Notes: Once you have a baseline, this control becomes easy to manage. Changes to installed applications on systems should be fairly rare.7. Utilize Application WhitelistingDescription: Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.Notes: This is the most important recommendation in the entire set of controls. Nothing will stop attackers more than implementing this properly. I would like to speak to the capabilities of AppLocker, since it is freely available to everyone running Windows (supported versions, that is) right now. First you can whitelist by folder/file name. This makes managing the whitelist very easy, and it also provides the opportunity for an attacker to just re-use existing folder/name structures. Next, you can whitelist by file hash, which is amazingly effective. However, this comes at the cost of having to constantly update the list of file hashes, which can be a nightmare across the enterprise. Finally, you have the option to whitelist based off of the files being digitally signed. This is a good balance between the two previous options; however, that can be bypassed as well by attackers. Choose a whitelisting technology which you can easily manage across the entire environment. If that’s not possible, consider AppLocker for critical systems.8. Implement Application Whitelisting of LibrariesDescription: The organization’s application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load into a system process.Notes: When you are deciding on a whitelisting solution, just make sure that this can be accomplished. As far as I am aware, AppLocker cannot define what libraries are loaded. So you are going to have to go for a paid route if this section is going to be implemented.9. Implement Application Whitelisting of ScriptsDescription: The organization’s application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc.) are allowed to run on a system.Notes: Along the same lines as the previous requirement, ensure that the whitelisting technology you are using can do this. From an AppLocker prospective, you can also define which users have the ability to run these as well.10. Physically or Logically Segregate High Risk ApplicationsDescription: Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization.Notes: I am glad that this is part of the control, as businesses are going to have some high risk applications that are required to run in the environment. The key here is that you need compensating controls in place to both prevent as well as detect attacks. Any traffic and activity to these systems should be heavily scrutinized. These systems should be primary candidates for application whitelisting as well as whitelisted network traffic. See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.Read more about the 20 CIS Controls here:Control 20 – Penetration Tests and Red Team ExercisesControl 19 – Incident Response and ManagementControl 18 – Application Software SecurityControl 17 – Implement a Security Awareness and Training ProgramControl 16 – Account Monitoring and ControlControl 15 – Wireless Access ControlControl 14 – Controlled Access Based on the Need to KnowControl 13 – Data ProtectionControl 12 – Boundary DefenseControl 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and SwitchesControl 10 – Data Recovery CapabilitiesControl 9 – Limitation and Control of Network Ports, Protocols, and ServicesControl 8 – Malware DefensesControl 7 – Email and Web Browser ProtectionsControl 6 – Maintenance, Monitoring, and Analysis of Audit LogsControl 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersControl 4 – Controlled Use of Administrative PrivilegesControl 3 – Continuous Vulnerability ManagementControl 2 – Inventory and Control of Software Assets