Google

Essential Action Lists

Essential Action Lists

Contact:[email protected]

Essential Action Lists
There are three levels of security actions:
LevelOne Security Actions
In LevelOne, security, system, and networking administrators make the
computing environment less vulnerable by correcting flaws in the software
installed on their computers and by implementing technical controls. Each
action is usually authorized and controlled by a policy.
1.1 - Implement online warnings to inform each user of the rules for access
to your organization's systems. Without such warnings, internal and external
attackers can often avoid prosecution even if they are caught.
1.2 - Establish a protective net of filters to detect and eradicate
viruses - covering workstations (PCs), servers, and gateways. Ensure that
virus signatures are kept up-to-date.
1.3 - Make sure that back-ups are run regularly, that files can be restored
from those backups, and that sysadmins have up-to-date skills needed to run
special backups on all systems immediately in case an attack is detected.
Without good backups, small security breaches can become calamities - both
in terms of financial loss and time wasted.
1.4 - Enable logging for important system level events and for services and
proxies, and set up a log archiving facility. Systems without effective
logging are blind and make it difficult to learn what happened during an
attack, or even whether an attack actually was successful.
1.5 - Perform system audits to learn who is using your system, to assess the
existence of open ports for outsiders to use, and to review several other
security-related factors about your system.
1.6 - Run password-cracking software to identify easy-to-guess passwords.*
Weak passwords allow attackers to appear as "authorized" users. That allows
them to test weaknesses until they find ways to take control of those
systems.
1.7 - Install a firewall and enhance the firewall rule sets to block most
sources of malicious traffic. Running a network system without a firewalls
is equivalent to leaving the doors of your house unlocked in a dangerous
neighborhood.
1.8 - Set access control lists (ACLs) on routers. ***  Routers can provide
an extra layer of protection.
1.9 - Scan the network to create and maintain a complete map of systems to
which you are connected.
1.10 - Use network-based vulnerability scanners to look for any of the 22
LevelOne vulnerabilities and correct those that are found.**  The LevelOne
vulnerabilities have been developed in conjunction with the Common
Vulnerabilities and Exposures project, a partnership of Government, industry
and academia.
1.11 - Implement the latest applicable patches, remove or tighten
unnecessary services, and tighten system settings on each host operating
system (as described in SANS Step-by-Step guides).
1.12 - Establish a host-based perimeter.
1.13 - Implement a file integrity (cryptographic fingerprinting) system to
ensure that you can tell which files were changed in an attack.
1.14 - Select an incident response team and establish the procedures to be
used to respond to various types of attacks.
For many smaller organizations and for any organization whose business does
not depend on the internet-based commerce or on the public trust, the
actions of LevelOne may be sufficient if coupled with an ongoing monitoring
system to ensure that new problems are uncovered and solved quickly.

For most large organizations, however, and those for whom public trust means
survival, higher levels of security action are required.

* Each action on this list should be preceded by the creation of policies
that authorize the action. Several of the actions, and this one in
particular, must be fully and carefully covered by policy and advanced
knowledge and approval of senior management. In some organizations, cracking
passwords without authorization is grounds for immediate dismissal and, if
national security is involved, may be grounds for criminal prosecution.

** LevelOne vulnerabilities tested here are those that allow your systems to
be penetrated or closed down by easy-to-find, easy-to-use attack programs
available to any interested troublemaker. As you would expect, the list is
continuously being updated.

LevelTwo Security Actions
LevelTwo actions move the focus from individual systems to the enterprise
and raise the barriers to attackers even further, paying special attention
to intrusion detection, finding and fixing unprotected "back doors" and
ensuring that remote access points are well secured. LevelTwo also focuses
on threats from insiders and on improving monitoring on systems that contain
the most critical information and support the most important business
functions.

Organizations increase their security to LevelTwo in order to make a
concerted effort to stay ahead of the attackers and especially to be
prepared for insider attacks. Not every computer needs LevelTwo protection
and one of the first tasks in LevelTwo is to identify the systems that need
extra security.
2.1 - Identify the systems that must be protected for business to continue
or trust to be maintained. These are called the "crown jewels." Many of the
other actions tasks in LevelTwo apply primarily to those very important
systems.
2.2 - Implement instrumentation (such as host-based intrusion detection and
cryptographic file fingerprinting) for the crown jewels to enable immediate
response to unauthorized access.
2.3 - Conduct a physical security assessment and correct insecure access and
other physical security weaknesses.
2.4 - Implement intrusion detection sensors and analysis stations.
2.5 - Implement audited access only for crown jewels using one or more forms
of encryption, certificates, or tokens.
2.6 - Assess and strengthen dial-in service configuration.
2.7 - Conduct a modem sweep to search for back doors.
2.8 - Search for and eradicate sniffer programs.
2.9 - Conduct a LevelTwo vulnerability scan, searching for additional
vulnerabilities that have been exploited but are more rare and sophisticated
than those in LevelOne.
2.10 - Correct the LevelTwo vulnerabilities that are found.

LevelThree Security Actions
Security and system and network administrators can make a significant
difference in improving security by implementing the actions of LevelOne and
LevelTwo. However, their work can be partially or completely thwarted by
security breaches caused by one or a combination of factors involving people
who use those computers and networks. LevelThree actions are designed to
help reduce the chance that such security breaches will occur. LevelThree
actions are focused on overcoming organizational impediments to security and
may be more difficult to implement than those in LevelOne and LevelTwo.
There is an acute need for LevelThree security actions. Banking executives
and senior military officials with experience analyzing the causes of
multiple successful attacks have demonstrated the strongest support for
LevelThree actions.
3.1 - Implement configuration management controls for the introduction of
new systems to the network. (The "Occupancy Permit" program)
3.2 - Implement regular network mapping and scanning to ensure compliance
with new system introduction controls.
3.3 - Implement a "Building Permit" program to reduce the chance that newly
deployed applications will introduce unexpected vulnerabilities.
3.4 - Implement a "Drivers License" program and related security awareness
education to help users know what to do in case they encounter a potential
security breach and how users can avoid unsafe computing.
3.5 - Implement encryption, possibly as a virtual private network, to avoid
disclosure of sensitive information traveling over the network.
3.6 - Tighten security of the web server
3.7 - Implement more sophisticated log file analysis

What Comes First, The Plan or The Actions?
Whenever any list of security actions is formulated, a question arises as to
whether it would be wise to delay implementation until a full-scale risk
assessment and security architecture are in place.

A committee of the Security Council of the CIO Institute addressed that
question directly in its August 30, Computerworld article on "Computer
Security's Top Three Questions." In that article, the Council, made up of
Chief Information Security Officers from some of the largest organizations
in the world, wrote, "Sophisticated security plans take a long time to
evolve. Concerned organizations don't wait for a grand plan. Instead, as
they identify internal and external threats and vulnerabilities, they
recognize that they probably need to be safer than they are and they
identify a set of basic controls and then systematically implement them. The
basics are often the simplest and least expensive actions and offer
substantial leverage for discouraging intruders."


Back to the Index