The Federal Information Security Act (FISMA) of 2002 requires that government agencies report on their Information Technology Security Status annually to the Office of Management and Budget (OMB). Under current FISMA guidelines, any system owner within a government agency is required to complete the certification and accreditation (C&A) process. The process requires that security controls and policies for all subsystems within the environment be implemented including: host based hardening, Host Based Security Systems (HBSS), installing firewalls, Intrusion Protections Systems (IPS). Once the security systems are deployed and technical security controls are in place, typically an outside independent organization will validate the security controls, through a risk assessment process. Once the process is complete the information is reviewed and the agency will decide to grant the system an Authorization to Operate (ATO). Under new guidelines all systems are required to monitor the baselines security controls and document any changes to the system by implementing a continuous monitoring program. A continuous monitoring plan should be implemented to assess the risk to the environment based on changes to the system. Currently, there are a number of organizations that make recommendations for implementing a continuous monitoring program but differ on the definition and implementation. The implementation of a continuous monitoring program can be made if an organization uses common sense in conjunction with the recommendations contained in current National Institute of Standards and Technology, SANs and Department of Home Land Security.
Continuous Monitoring is the on-going assessment of change and related risk to the baseline configuration of security authorized operational IT systems within the enterprise. The goal of a Continuous Monitoring program is to determine if built in system security controls continue to be effective over time. The proper balance of policy, context, processes and technology application dictates the overall effectiveness of the program. A number of government organizations have developed standards and recommendations for developing a continuous monitoring strategy. The National Institute of Standards and Technology (NIST) Special Publication 800-137 rev 1 ” Information Security Continuous Monitoring for Federal Information Systems and Organizations” presents guidelines for applying NIST’s Risk Management Framework (RMF) to Federal Systems. In NIST’s Special Publication NIST defines continuous monitoring as: ” Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of the information security, vulnerabilities and threats to support organizational risk management”.
NIST in conjunction with the Department of Home Land Security (DHS) developed NIST Interagency Report 7756 “CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Model (Second Draft) “which extends the original CAEARS Reference Architecture that describes standard protocols and systems to produce an automated continuous monitoring system. Currently, hardware and software tools using a standard set a protocols to monitor all assets within the enterprise have not been currently developed. DHS plans to award contacts totaling more than 6 billion to a number of companies to develop and implement continuous diagnostic and mitigation tools. In addition, the SANs Institute working with the Department of Defense (DOD) published ” Twenty Critical Security Controls for Effective Cyber Defense” which makes a number of recommendations on the implementation of continuous monitoring. Even though complete monitoring tools sets have not been fully develop, organizations can use SAN’s recommend controls to begin to implementing a continuous monitoring program to provide situational awareness of the enterprise. Within the recommended 20 controls, three controls, Critical Control, 4, 14, and 16 make recommendations to implement continuous monitoring capabilities across an enterprise networks. Critical Control 4 provides recommendations on vulnerability scanning and remediation. Critical Control 14 discusses the importance of auditing within the enterprise. Lastly, Critical Control 16 discusses account monitoring and control.
Unfortunately, many organizations fail to monitor the security controls for changes that may affect the security posture of the system. Once security configuration baselines are applied to systems, little is done to update the controls based on system changes. Implementing vulnerability scanning and compliance tools is an easy way protect the enterprise against known threats.
Vulnerability scanning tools incorporate two different scanning mechanisms, compliance scans and vulnerability scans to protect the enterprise. Compliance scans checks the systems against a known set of configuration security baselines or set of policies used for system hardening, such as those published by Defense Information Systems Agency (DISA) and the Center for Internet Security (CIS). The compliance scans should run against all system on the network to maintain ATO compliance and detect if any unauthorized changes were made to circumvent security. On the other hand, vulnerability scans checks the system against known set of threat signatures. The vulnerability scans will list known threats based on Common Vulnerability Alerts (CVE), vendor patch updates on common operating systems and application software. In addition, vulnerability scanning tools can provide network discovery scans to check for unauthorized devices that may be connected to the network. The discovery scans can be used to maintain the organization Configuration Management policies. SANs Critical Control 4 states ” run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk. Where feasible, vulnerability scanning should occur on a daily basis using an up-to-date vulnerability-scanning tool. Any vulnerability identified should be remediated in a timely manner, with critical vulnerabilities fixed within 48 hours”.
Vulnerability scanning should be incorporated into any organization’s security plan and should be the first step in the implementation of a continuous monitoring program. Many scanning tools are available in the commercial market, such as Tenable’s NESSUS vulnerability scanner and eEye Digital’s Retina vulnerability scanner.
Audit logs are one of the most important security controls to implement when developing security policies within the enterprise. Audit logs provide a wealth of information on the daily activities of authorized system users and some cases unauthorized users as well. Almost every piece of equipment incorporated in building a IT infrastructure provides audit logging capability. Unfortunately, many organizations do not correctly implement audit logging policies when developing a System Security Plan. An organization’s audit policy may include the requirement to enable audit logging, but does not specify which logs are enabled, time period for review, retention time or how the logs will be consolidated offline for protection. SANs Critical Control 14 states ” Deficiencies in security logging and analysis allow attackers to hide their location, malicious software used for remote control, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible”.
Information Systems are under constant threats and attacks occurring from outside or inside the organization. Incorporating a strong audit logging capability and policies will help to detect unauthorized users, configuration changes, information for forensic investigations and system performance monitoring. Organizations should have audit logging enabled on network equipment for successful and failed logons, logoffs, account lockout, user account and password management, policy changes, object access and installed/un-installed applications at a minimum. Audit logs should be reviewed daily for any suspicious activity and retained off line for a minimum of 1 year. Reviewing audit logs can be very difficult, if not impossible to access each device on the network to review logs individually. Organizations should incorporate tools to consolidate all device logs into a single location for review. This prevents internal threats and outside attackers from deleting audit logs to cover their tracks from malicious activity. The system should have the capability to send alerts to security personnel for certain events in real time, either by email or Short Message Service (SMS).
Audit log consolidation should be considered the second step in
the implementation of a continuous monitoring program. The enabling of audit logs on devices and consolidating the logs to central device is one of the best ways to detect threats and provide situational awareness of the enterprise. The audit logs can provide insight to what is considered normal activity and what is not. Many tools for audit consolidation are available from companies like, GFI Software’s, GFI Events Manager, and Splunk that can ingest any type of ANSI based text file and then search for any data tag associated with a source event.
One of the most frequently targets of hackers are user accounts, default accounts, service accounts and inactive accounts. Hackers will target default accounts that have not been disabled with dictionary attacks and when exploited are difficult to detect. Even though most organizations have security policies on managing account access, poor oversight by management fails to strictly enforce policy. The uses of service accounts to access systems are all too common which makes correlating specific users with access very difficult. If an attacker just discovers a valid User ID than they have half of the puzzle to hack the account. If an attacker gains access to a system with an active user account they usually can find a way to gain access to an administrator level and exploit the entire system. Therefore, account monitoring policies should be reviewed on a regular basis and incorporated into the organization’s continuous monitoring program.
The implementation of regular monitoring of account access is one of the easiest ways to mitigate risk to the entire system. Account management should be incorporated into the daily operations of every System Administrator that has account creating authority. First, password requirements should be enabled on all systems, require passwords with 14 characters in length and include upper, lower and special characters. Account passwords must be changed after 60 days and inactive account disabled after 30 days. In addition, default system accounts should be disabled and renamed including the default administrator account. Accounts for terminated employees should be disabled immediately, all too often those accounts are left active making exploit by a disgruntled employee effortless. Moreover, System Administrators that leave and/or terminated should have their account disabled before leaving the building and the system closely monitored for any unauthorized activity. Lastly, all active accounts should be fully reviewed on a regular basis for employees that were transferred to new positions outside the division.
Incorporating account monitoring into a continuous monitoring program is a quick and effective means to mitigate risk to the system. In addition, the cost associated with implementing account monitoring is minimal, since it mostly entails an increase in security awareness and policy enforcement.
The number of attacks increase daily and the job of defending the system becomes more difficult especially when defending against zero day vulnerabilities. Organizations tend to apply system security with the least amount of cost as possible. However, with the ever increasing regulatory requirements organizations must find cost effective ways to protect and increase the situational awareness of their networks. In order to meet mandated requirements, organizations can implement a cost effective continuous monitoring program by conducting regular compliance and vulnerability scans, consolidate audit reporting and maintain a comprehensive account management policy to maintain the security posture of their enterprise.