×

Category: Uncategorized

Hardening by using CIS – A Holistic Approach

Posted on by Adelle Starr

System hardening refers to the process of securing a computer system by reducing its vulnerability to potential threats and attacks. This is achieved by taking various measures, such as configuring the system’s software and hardware components to eliminate known security weaknesses, disabling unnecessary services, limiting user privileges, implementing access controls and firewalls, and regularly updating and patching software to address known vulnerabilities.

System hardening aims to create a more secure computing environment that is less susceptible to unauthorized access, data breaches, malware infections, and other types of security threats. This is particularly important for systems that store sensitive or confidential information, such as financial data, medical records, and government intelligence.

System hardening is an ongoing process that requires continuous monitoring and maintenance to ensure that the system remains secure and up to date with the latest security patches and updates. It is an important aspect of cybersecurity that is essential for protecting sensitive information and maintaining the trust of users and customers.

The CIS (Center for Internet Security) benchmarks are a set of best practices and guidelines to provide a comprehensive framework of security controls and settings that can be used to harden various types of systems, including Cloud deployments. it is possible to apply the CIS (Center for Internet Security) benchmarks for tactical and operational levels. They cover various security areas, such as operating systems, applications, and network devices. The benchmarks are designed to be used by organizations of all sizes and types and can be customized to meet specific security needs.

At the tactical level, the CIS benchmarks can be applied to individual systems and devices to ensure that they are configured securely. For example, an IT administrator may use the CIS benchmarks to configure a web server or database server in accordance with best practices. This can help to prevent common security issues such as unauthorized access, data breaches, and malware infections.

At the operational level, the CIS benchmarks can be used to establish policies and procedures that govern how systems and devices are configured and maintained. This can help to ensure that all systems are configured consistently and securely across an organization. 

In summary, the CIS benchmarks can be applied at both the tactical and operational levels to improve security posture and reduce the risk of security breaches. The benchmarks provide a set of best practices that can be customized to meet specific security needs and can be applied to individual systems and broader organizational policies and procedures.

One of the main tools provided by CIS is the CIS-CAT Pro tool, which can scan and assess systems against the CIS benchmarks and generate reports on areas of non-compliance. The tool can also guide how to remediate any issues found and bring systems into compliance with the benchmarks.

In addition to CIS-CAT Pro, other tools and scripts can help automate system hardening based on the CIS benchmarks. These tools can help to streamline the process of implementing security controls and settings recommended by the benchmarks, reducing the potential for human error, and saving time and resources.

Automating system hardening using the CIS benchmarks can help to ensure that security controls and configurations are consistently applied across all systems and networks, reducing the potential for security vulnerabilities and improving overall security posture.

Reducing the attack surface is an essential goal of system hardening, and the CIS benchmarks can be a valuable tool for achieving this goal if cross-referenced by MITRE. Starting with Identifying the systems and applications that are most critical to your business and prioritizing them for hardening based on their level of risk. It’s important to remember that system hardening is an ongoing process. You should regularly review and update your security controls and settings to address new threats and vulnerabilities as they emerge.  So, create your security baseline first to reduce the attack surface.

Both MITRE and CIS are related to finding controls in the sense that they provide guidance on the controls that organizations can implement to enhance their security. MITRE’s ATT&CK framework can help organizations identify the techniques that attackers might use and provide guidance on the controls that can be implemented to prevent those attacks. Similarly, the CIS Controls provide a prioritized list of actions that organizations can take to improve their security posture. It is possible to use both MITRE and CIS benchmarks at the same time; Our approach for implementing holistic controls for our customers is that incorporate both frameworks, and that is what we do as consultants @ Securitybricks.

MITRE’s ATT&CK framework provides a comprehensive view of adversaries’ tactics and techniques to attack systems and networks. It provides a framework for understanding the different stages of an attack and the techniques that are commonly used at each stage. The framework can help organizations identify gaps in their defenses and prioritize their security investments to address the most critical risks.

The CIS benchmarks, on the other hand, provide prescriptive guidance on how to secure individual systems and devices. They provide a set of best practices for configuring systems to reduce the risk of common security issues such as unauthorized access, data breaches, and malware infections.

To implement a holistic set of controls that incorporates both MITRE and CIS frameworks, we use the MITRE framework to identify the tactics and techniques most relevant to their specific environment. We then use the CIS benchmarks to implement best practices for securing individual systems and devices in a way that addresses those specific risks.

CMMC 800-171 Solution on ServiceNow GRC Platform

Posted on by Adelle Starr

Is your organization struggling to keep up with the complex requirements of Vendor Risk Management and the NIST 800-171 standards? You need Securitybricks’ innovative ServiceNow GRC Vendor Risk CMMC application.

I’m Donna, a passionate Risk, Compliance, and ServiceNow GRC expert, and I’m thrilled to introduce our latest project: a simple easy to use Vendor Risk Management application that streamlines compliance assessments of downstream vendors and suppliers in accordance with your organization’s CMMC Level.

Built upon the powerful ServiceNow Vendor Risk Management Module, our CMMC app is designed to make compliance easier for you. If you’re an existing GRC Vendor Risk Management customer, you’ll be able to integrate our app seamlessly into your current process. We built the app on ServiceNow to specifically address CMMC requirements for subcontractors. With a user-friendly Questionnaire and Assessment, it’s never been easier to launch your CMMC vendor compliance assessments. We offer two levels (Level 1 and Level 2) to suit your organization’s specific needs.  Installation is as simple as downloading from the ServiceNow Store, installing in your GRC Vendor Risk Instance and then, as the Vendor Risk Manager creating a CMMC Assessment leveraging the prebuilt CMMC assessment templates and assign to the vendor to complete.

We’re proud to offer this application to you for FREE, exclusively in the ServiceNow store. It will be available for download at the end of Q1 2023, and our Version 1 solution is designed to work with the latest ServiceNow Tokyo release and Utah. Our app uses out-of-the-box Roles for Vendor Risk Managers to create the assessments and Vendors to respond to them, making it simple and straightforward to use.

Not Your Keys, Not Your Coins

Posted on by Adelle Starr

In the world of cryptocurrency, the phrase “not your keys, not your coins” is a reminder of the importance of maintaining control over your own private keys.

A private key is a secret code that grants access to a cryptocurrency wallet and the coins within it. Without the private key, the coins within that wallet cannot be accessed or transferred. This means that if you do not have control over your own private keys, you do not truly own the coins in that wallet.

This is where the concept of “not your keys, not your coins” comes into play. When you store your coins on a centralized exchange or with a third-party custodian, you are effectively giving up control of your private keys to that entity. While they may promise to keep your coins safe, they are also in control of the coins and can make decisions on how to use them without your consent.

In contrast, when you store your coins on a self-custodied wallet, such as a hardware wallet or a software wallet that you control the private keys, you always maintain control over your coins. This means that you are in full control of your coins and can make decisions on how to use them, such as transferring them to another wallet or selling them on an exchange.

When storing coins in your self-custodied wallet, you should also put a passphrase on it. You will have a key file or mnemonic phrase associated with your wallet. By using a passphrase, you’ll be able to provide more security for yourself and your funds. Tools such as Metamask are good for Ethereum, Polygon, and many other cryptocurrencies. Metamask will provide you with your mnemonic phrase when setting up your wallet, and this should be stored as if you were storing gold for Fort Knox. This phrase gives access to all your funds in your wallet.

Luckily if you believe to have been compromised, setting up a new phrase is easier than opening a bank account. You just set up a new account (on a non-compromised system) and transfer all your funds to the new wallet. The concept of “not your keys, not your coins” is especially important in the world of cryptocurrency because, unlike traditional financial systems, there is no central authority that can help you recover your coins if you lose access to them. If you lose control of your private keys, you may permanently lose access to your coins.

Self-custody of your assets means you are responsible for all your funds. This is a blessing for people who may have been affected by outages during huge volatility spikes on exchanges. Many notable spikes occur when cryptocurrencies like Bitcoin, Ethereum and Solana move 10% or more within a couple minutes. If you try and sell, you might be limited by the exchange as they try and keep liquidity available on the cryptocurrency and fiat side.

Other issues, like the recent FTX scandal show how your funds can be used in ways that you do not want to be used. This is also prevalent with the large lending coin scam of 2017-2018, the Mt. Gox scandal in 2013-2014 and many other similar events.

It is important to keep in mind that in the world of cryptocurrency, your keys are your coins. Maintaining control over your own private keys is essential for truly owning and being in control of your coins, and it is important to store your coins on a self-custodied wallet that you control the private keys.

How Secure is Your Data in the Cloud?

Posted on by Adelle Starr

Have you moved to the cloud and think your data is secure because the cloud service uses encryption? This may be a false sense of security depending on the sensitivity of your data. There is much more to having secure storage of data than just the encryption algorithm that is used. Many companies have moved or are in the process of moving to the cloud for computing and data storage purposes. Overall, the cloud services are a less expensive environment for computing and data storage with the convenience of worldwide access from any number of devices.

Cloud services are inherently secure using encryption for data in flight to and from the cloud, and data at rest. This encryption is typically included in the base cost of the service, but is it as secure as the in-house datacenters that these companies once used? Even if the company did not employ encryption to protect the data there was a level of security in that the network was private that protected access from external advisories. When using a cloud service, companies loss control their data relying on the security of the cloud service and its personnel. The encryption employed by cloud services is used to protect the data in the event of a data breach which protects the service from undue financial loss. The encryption keys used are shared among the customer base and managed internally. How well these keys are actually protected is not easily assessed. Poor key management could allow internal access to their customers’ data.

When it comes to encryption It is not the algorithm that protects the secrecy of data, these are publicly known and widely distributed. The choice of an encryption algorithm is important in that some are stronger than others, however the security of encrypted data relies on the security and secrecy of the cryptographic key. Any entity that has access to cryptographic keys can decrypt the data.

For companies that have sensitive data that must be protected for business purposes may choose to use encryption where the cryptographic keys are unique to them. This is implemented as a second level encryption and most cloud services offer this. These companies must implement strong key management where split knowledge and dual control is enforced such that no one single individual has access to the encryption key. Split knowledge is where the key is broken up and distributed to separate individuals for safe keeping. Individual knowledge of these key parts does not reveal anything about the key itself. Dual control is a process where two or more individuals are required to perform key management functions which may include key recovery, distribution to other platforms or systems, internal use. Improper key management may result in the loss of keys or compromise of the key which exposes the data that was meant to remain secret.

Encryption key management is a critical part of using encryption to keep data secure and secret. Poor key management is like hiding the spare house key under the welcome mat of your house. If you don’t understand how encryption keys are managed, and more importantly know the people and systems that have access to the keys, your data may not be as secure as you think.  There are several ISO and ASC X9 standards that can help review key management processes as well as consulting firms that are willing to help.

How the Emergence of Artificial Intelligence Will Affect Cybersecurity

Posted on by Adelle Starr

The potential threats posed by cybercriminals remain on the rise. As a result, cybersecurity has become a major focus of businesses, government entities, and individuals alike. With so much valuable data at risk of being stolen or misused, organizations are looking for innovative solutions to protect themselves from cyber threats.  According to IBM’s, “Cost of a Data Breach 2022” report it takes a security team an average of 277 days to identify and contain a breach. Artificial intelligence (AI) has emerged as one of the most promising solutions for enhancing cybersecurity.

The introduction of Artificial Intelligence (AI) into the world of cybersecurity should be considered a game-changer. AI can help organizations protect themselves from cyber threats and also aid in incident response and investigation. AI will enable businesses to become more efficient and cost-effective by helping them quickly identify suspicious behavior, investigate security incidents faster, and accurately identify attackers.

First of all, AI will be used to detect malicious activity faster than ever before. AI-powered security systems will use sophisticated algorithms to quickly detect potential threats and malicious activity, giving companies time to act before a breach occurs. With the right system in place, companies can identify an attack almost as soon as it starts and act accordingly to stop it before any significant damage is done.

Second, AI will help improve incident response time. Currently, when a cyberattack takes place, organizations often have difficulty responding quickly because they must manually investigate each event individually. However, with the help of AI, they will be able to automatically investigate each incident at lightning speed without human involvement. This will enable them to react quickly and effectively if an attack does occur.

Thirdly, AI-powered cybersecurity solutions can provide more accurate identification of attackers. AI can learn how different attacks work over time and use that knowledge to more accurately detect when a new attack is launched against a system. It can then trace back its source to identify the attacker and their intent more accurately than ever before. This information can then be used for future protection strategies against similar attacks in the future.

Finally, AI-driven solutions are already being deployed in areas such as network security analytics which allows for the examination of network traffic patterns in real-time so malicious activity can be spotted much quicker than humans would normally be able to do so manually. These solutions are becoming increasingly advanced as they incorporate machine learning techniques which allow them to adjust their scanning criteria over time as new threats emerge making them even better at identifying possible threats before they even have a chance to do harm.

All in all, AI will bring unprecedented levels of efficiency and accuracy into cybersecurity operations as it becomes increasingly deployed across multiple industries worldwide. With its ability to scan huge volumes of data quickly while providing deep insight into network activity and possible attackers’ intentions, companies are poised to make greater gains than ever before against the threat landscape with minimal effort required on their part. This makes it imperative for businesses today to take steps towards implementing these innovative solutions if they wish to stay secure now and in the future.

The Cyber Compliance Market

Posted on by Raj Raghavan

Recently, someone asked me to quantify the federal cyber market. 

FedRAMP is now a law that underlines the Government’s Cloud first mandate. After years of ambiguity and excessive costs to become FedRAMP certified to demonstrate data protection controls based on agency’s needs, the law now sets a level playing field for mid-size service enterprises who want to tap into the Federal market. The new law puts a system of reciprocity which allows federal agencies to certify vendors and have the same level of data protection more easily. 

While this law is appealing, the certification rules have not changed. Readiness is still a mountain to climb even with an understanding of the intent of NIST 800-53 controls and the applicability to the service provider’s environment. While the NIST requirements are complex, the cloud security architects and DevOps ability to design and implement the service within an approved boundary with appropriate data controls is no small feat. The demand for these cloud security professionals is very high.

Once you are FedRAMP certified, the burden to provide continuous monitoring reports that include reporting on incidents, security events, and scan for vulnerabilities while ensuring the new product features don’t cause “significant change” is an ongoing program.  

“Let us do the numbers” from my favorite NPR show Marketplace by Kai Ryssdal.

  • While 2022 saw the federal government spend over $11B in cloud technologies, the new bill signed in Dec. 2022 increases the spending
  • The Federal market is a long-term revenue stream with a market of 440 agencies          
  • Government agencies in 10 states have adopted FedRAMP and renamed it StateRAMP
  • FedRAMP is the security gate that will open the gates to these agencies
  • FedRAMP requires validation from a pool of 40 3PAOs
  • The lack of cloud security and application security professionals will further strain service providers ability to get certified quickly

The numbers are interesting but, where do you start?

  • Does your compliance team or security team understand NIST security framework?
  • Is your commercial cloud deployment aligned to security benchmarks or regulations?
  • Don’t let 1000 controls of NIST intimidate you. These are common sense cyber hygiene controls that are broken into domains that your information security probably has implemented
  • 3PAOs can offer guidance, but your FedRAMP readiness team should have cloud security engineers who can map current security tools and processes to NIST requirements
  • While AWS, GCP and Azure offer “FedRAMP Ready” GovCloud, see if it makes sense to implement your cloud software in the GovCloud and continuously monitor it
  • This is not a security tool game or FedRAMP ready “blueprint” but an assessment of your security controls and process to meet a slightly higher security requirement

There is a small battalion of certified assessors who can provide guidance and certification. The shortage of certified auditors is increasing timelines as many of us are now getting ready for CMMC, a DoD mandate, that impacts 300,000+ DoD subcontractors in 2023.

FedRAMP Authorization Act

Posted on by Adelle Starr

https://www.linkedin.com/pulse/fedramp-authorization-act-securitybricks-inc

FedRAMP provides a standardized approach to security authorizations for Cloud Service Offerings within the Federal ecosystem and is a crucial cybersecurity certification that cloud service providers must obtain prior to working with U.S. government data. Gaining this certification in advance means placement in the FedRAMP marketplace, from which government divisions and agencies can choose a provider at the level of security they choose.

Cloud Service providers have a multi-billion dollar federal market to address with some clarity on security requirements.

President Joe Biden has signed a legislation that will reform the Federal Risk and Authorization Management Program (FedRAMP), a cybersecurity authorization program, as part of the National Defense Authorization Act (NDAA). The act is designed to promote the federal implementation of FedRAMP government wide.

The latest iteration of FedRAMP Authorization Act makes sure that the FedRAMP program has a board to continue improving the quality and shorten the time for a Cloud Service Provider (CSP) to attain an Authorization to Operate (ATO). The act also creates a new cloud advisory committee consisting of five representatives from cloud service companies with the specification that two of those positions will be filled by small cloud vendors.

Why is this important to cloud service providers (CSPs)?

There are hundreds if not thousands of cloud service providers who need to be FedRAMP certified and the journey for many has been long with millions of dollars in investment.  The old rules made it difficult to cross sell to federal agencies as each agency can have additional security requirements extending the sales process.

One of the most significant aspects of the FedRAMP reform language is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used by any federal agency without additional cost, or time increasing CSPs market size.

The cloud advisory board will have voice of the CSPs’ making the rules relevant and effective for continuous compliance and ensure highest level of data protection. The shortage of 3PAOs increased the assessment timelines and the single assessment approach will free up 3PAO’s to get more CSPs certified.

If a CSP wants to make a business case to pursue the Federal market, they can start with the NIST controls benchmark with approved FedRAMP services from GCP, AWS and Azure GovCloud instances.  Once they complete their readiness and demonstrate compliance to NIST 800-53 controls, they can now find a 3PAO to validate the controls and submit the package to FedRAMP board for approval.  Once approved, they are listed, and every Federal agency can now subscribe to the service. A FedRAMP certified CSP has demonstrated highest security control implementation and monitoring eliminating the need to chase less known commercial security certifications. FedRAMP has now millions of dollars in funding to market its program to State agencies.  Many states are adopting FedRAMP as their security framework and this only increases the addressable market.