Contact:[email protected]
Essential Action Lists There are three levels of security actions: LevelOne Security Actions In LevelOne, security, system, and networking administrators make the computing environment less vulnerable by correcting flaws in the software installed on their computers and by implementing technical controls. Each action is usually authorized and controlled by a policy. 1.1 - Implement online warnings to inform each user of the rules for access to your organization's systems. Without such warnings, internal and external attackers can often avoid prosecution even if they are caught. 1.2 - Establish a protective net of filters to detect and eradicate viruses - covering workstations (PCs), servers, and gateways. Ensure that virus signatures are kept up-to-date. 1.3 - Make sure that back-ups are run regularly, that files can be restored from those backups, and that sysadmins have up-to-date skills needed to run special backups on all systems immediately in case an attack is detected. Without good backups, small security breaches can become calamities - both in terms of financial loss and time wasted. 1.4 - Enable logging for important system level events and for services and proxies, and set up a log archiving facility. Systems without effective logging are blind and make it difficult to learn what happened during an attack, or even whether an attack actually was successful. 1.5 - Perform system audits to learn who is using your system, to assess the existence of open ports for outsiders to use, and to review several other security-related factors about your system. 1.6 - Run password-cracking software to identify easy-to-guess passwords.* Weak passwords allow attackers to appear as "authorized" users. That allows them to test weaknesses until they find ways to take control of those systems. 1.7 - Install a firewall and enhance the firewall rule sets to block most sources of malicious traffic. Running a network system without a firewalls is equivalent to leaving the doors of your house unlocked in a dangerous neighborhood. 1.8 - Set access control lists (ACLs) on routers. *** Routers can provide an extra layer of protection. 1.9 - Scan the network to create and maintain a complete map of systems to which you are connected. 1.10 - Use network-based vulnerability scanners to look for any of the 22 LevelOne vulnerabilities and correct those that are found.** The LevelOne vulnerabilities have been developed in conjunction with the Common Vulnerabilities and Exposures project, a partnership of Government, industry and academia. 1.11 - Implement the latest applicable patches, remove or tighten unnecessary services, and tighten system settings on each host operating system (as described in SANS Step-by-Step guides). 1.12 - Establish a host-based perimeter. 1.13 - Implement a file integrity (cryptographic fingerprinting) system to ensure that you can tell which files were changed in an attack. 1.14 - Select an incident response team and establish the procedures to be used to respond to various types of attacks. For many smaller organizations and for any organization whose business does not depend on the internet-based commerce or on the public trust, the actions of LevelOne may be sufficient if coupled with an ongoing monitoring system to ensure that new problems are uncovered and solved quickly. For most large organizations, however, and those for whom public trust means survival, higher levels of security action are required. * Each action on this list should be preceded by the creation of policies that authorize the action. Several of the actions, and this one in particular, must be fully and carefully covered by policy and advanced knowledge and approval of senior management. In some organizations, cracking passwords without authorization is grounds for immediate dismissal and, if national security is involved, may be grounds for criminal prosecution. ** LevelOne vulnerabilities tested here are those that allow your systems to be penetrated or closed down by easy-to-find, easy-to-use attack programs available to any interested troublemaker. As you would expect, the list is continuously being updated. LevelTwo Security Actions LevelTwo actions move the focus from individual systems to the enterprise and raise the barriers to attackers even further, paying special attention to intrusion detection, finding and fixing unprotected "back doors" and ensuring that remote access points are well secured. LevelTwo also focuses on threats from insiders and on improving monitoring on systems that contain the most critical information and support the most important business functions. Organizations increase their security to LevelTwo in order to make a concerted effort to stay ahead of the attackers and especially to be prepared for insider attacks. Not every computer needs LevelTwo protection and one of the first tasks in LevelTwo is to identify the systems that need extra security. 2.1 - Identify the systems that must be protected for business to continue or trust to be maintained. These are called the "crown jewels." Many of the other actions tasks in LevelTwo apply primarily to those very important systems. 2.2 - Implement instrumentation (such as host-based intrusion detection and cryptographic file fingerprinting) for the crown jewels to enable immediate response to unauthorized access. 2.3 - Conduct a physical security assessment and correct insecure access and other physical security weaknesses. 2.4 - Implement intrusion detection sensors and analysis stations. 2.5 - Implement audited access only for crown jewels using one or more forms of encryption, certificates, or tokens. 2.6 - Assess and strengthen dial-in service configuration. 2.7 - Conduct a modem sweep to search for back doors. 2.8 - Search for and eradicate sniffer programs. 2.9 - Conduct a LevelTwo vulnerability scan, searching for additional vulnerabilities that have been exploited but are more rare and sophisticated than those in LevelOne. 2.10 - Correct the LevelTwo vulnerabilities that are found. LevelThree Security Actions Security and system and network administrators can make a significant difference in improving security by implementing the actions of LevelOne and LevelTwo. However, their work can be partially or completely thwarted by security breaches caused by one or a combination of factors involving people who use those computers and networks. LevelThree actions are designed to help reduce the chance that such security breaches will occur. LevelThree actions are focused on overcoming organizational impediments to security and may be more difficult to implement than those in LevelOne and LevelTwo. There is an acute need for LevelThree security actions. Banking executives and senior military officials with experience analyzing the causes of multiple successful attacks have demonstrated the strongest support for LevelThree actions. 3.1 - Implement configuration management controls for the introduction of new systems to the network. (The "Occupancy Permit" program) 3.2 - Implement regular network mapping and scanning to ensure compliance with new system introduction controls. 3.3 - Implement a "Building Permit" program to reduce the chance that newly deployed applications will introduce unexpected vulnerabilities. 3.4 - Implement a "Drivers License" program and related security awareness education to help users know what to do in case they encounter a potential security breach and how users can avoid unsafe computing. 3.5 - Implement encryption, possibly as a virtual private network, to avoid disclosure of sensitive information traveling over the network. 3.6 - Tighten security of the web server 3.7 - Implement more sophisticated log file analysis What Comes First, The Plan or The Actions? Whenever any list of security actions is formulated, a question arises as to whether it would be wise to delay implementation until a full-scale risk assessment and security architecture are in place. A committee of the Security Council of the CIO Institute addressed that question directly in its August 30, Computerworld article on "Computer Security's Top Three Questions." In that article, the Council, made up of Chief Information Security Officers from some of the largest organizations in the world, wrote, "Sophisticated security plans take a long time to evolve. Concerned organizations don't wait for a grand plan. Instead, as they identify internal and external threats and vulnerabilities, they recognize that they probably need to be safer than they are and they identify a set of basic controls and then systematically implement them. The basics are often the simplest and least expensive actions and offer substantial leverage for discouraging intruders." Back to the Index