A common misconception, “I’m compliance, so I must be secure”. This 4-part series focuses on best practices for fully developing your security program.

Compliance Is Never Enough: Secure Software Development

What is an SDLC?

What is a software/systems development lifecycle? What elements should be included in an SDLC? What is the most important phase in an SDLC? What are the different frameworks? What are the methodology terms? How do you validate compliance with an SDLC? Is the OWASP an SDLC? This webinar educates listeners with an overview on the individual phases and elements that should be included in an SDLC and with some basic knowledge about SDLCs.

An SDLC is…

  • A framework that defines each task to be performed at each step in the software development process.
  • A structure that should be followed by a development team within the software’s organization.
  • A detailed plan describing how to develop, maintain, and replace specific software.
  • Composed of clearly defined work phases which are used by systems engineers and systems developers to plan for, design, build, test, and deliver information systems.
  • Comprised of policies, procedures, and standards.
  • Meant to maintain a secure environment that supports business needs.

The basics steps of an SDLC are…

  1. A preliminary analysis in which the organization defines its objectives and decides what needs to be accomplished. Business, technical, functional, and user requirements are gathered. Discovering what your requirements are is the foundation of this process. What is needed to make this program successful?
  2. A system analysis where the project goals are defined into functions and deficiencies are identified.
  3. A system design phase that describes desired features and operations in detail. The new system requirements, based off of the deficiencies found, are addressed in a proposal for improvement.
  4. A development process in which plans are laid out concerning the physical construction, hardware, operating systems, programming, communications, and security issues. Users of the system must be trained.
  5. The use of the new system and the gradual replacement of the old.
  6. Testing for errors, bugs, and inoperability.
  7. An evaluation to assess if goals were achieved.
  8. A disposal plan to discard system information, hardware, and software while marking the
  9. transition to the new system.
  10. Continued rigorous maintenance to ensure the system does not become obsolete.

Watch the full webinar to learn how your organization can have a fully-functioning application in a hardened environment. For more information, contact us today.

Compliance is Never Enough: Encryption & Key Management

Understanding a Key Management Program

The purpose of this presentation is to give you a foundation of understanding encryption. This webinar will not delve into the math involved, but rather, you will learn about the different types of encryption, key management basics, algorithm uses, and encryption attacks.

First, let’s define and discuss symmetric versus asymmetric encryption. Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. Asymmetric algorithms use different keys for encryption and decryption, and is a form of encryption where keys come in pairs. Usually, but not necessarily, if key A encrypts a message, then B can decrypt it, and if key B encrypts a message, then key A can decrypt it. By listening to the presentation, you will hear examples of how these different algorithms function.

We believe best practices for a key management program include:

  • Fully document your encryption key management program
  • Generate strong keys
  • Ensure secure key distribution
  • Keys must be protected in storage (KEK)
  • Do not encrypt new data with retired encryption keys
  • Replace keys when they are weakened or suspected of a compromise
  • Prevent unauthorized key substitution

Cryptoperiods are a major topic in key management. This webinar discusses risk factors that affect cryptoperiods, like the security life of the data and the strength of the cryptographic mechanisms. When we discuss cryptoperiods, we use the NIST Special Publication 800-57 definition:

  • Limits the amount of information protected by a given key that is available for cryptanalysis
  • Limits the amount of exposure if a single key is compromised
  • Limits the use of a particular algorithm to its estimated effective lifetime
  • Limits the time available for attempts to penetrate physical, procedural, and logical access mechanisms that protect a key from unauthorized disclosure
  • Limits the period within which information may be compromised by inadvertent disclosure of keying material to unauthorized entities
  • Limits the time available for computationally intensive cryptanalytic attacks (in applications where long-term key protection is not required)

The webinar discusses algorithms such as block cypher, stream cypher, Data Encryption Standard (DES), Triple DES, RSA, Blowfish, AES, and Two Fish. Listen to the full presentation to hear Jeff Wilder introduce topics such as disk encryption, encryption attacks, and the Q&A portion. For more information on encryption and key management, contact us today.

Compliance is Never Enough: Hardening and System Patching

Best Practices for Patch and Vulnerability Management Programs

75% of the assessments that we do will generally have a finding regarding patching. So, what’s missing? What can we do to change that? In this webinar, Jeff Wilder discusses best practices for patch management programs, best practices for vulnerability management and identification programs, false assumptions about patching, risk ranking, and recommended tools.

Patch management should only be a part of your overall vulnerability program. Your program should also include AV, FIM, and Log Review, defined policies and procedures, the necessary tools to identify missing patches or vulnerabilities, and staff that is sufficiently trained to address identified issues. We also need to keep in mind that patching is not just about your workstation or servers. You need to ask yourself: When was the last time you updated your routers and firewalls? Have you also considered the applications you use? How do you intend on deploying your non-Microsoft patches? What about IoT devices? What about company-provided Android devices, Adobe products, etc.?

Your vulnerability management and identification program should include monitoring multiple sources for known vulnerabilities, monitoring vendor sites for patches and updates, a risk ranking system for the identified vulnerability, and a watch for 0-day attacks.

Once you’ve identified a patch or vulnerability, you need to rank that risk. We recommend the Common Vulnerability Scoring System (CVSS). Vulnerabilities, once identified, are given a score between 1 and 10, 1 being “informational” and 10 being “needs to be address immediately.”

There can be many false assumptions when it comes to patching. Patch and vulnerability management programs are about addressing risk, not just patching a device. Traps that you could fall into are thinking that just because there is an available patch or update doesn’t mean that you have to install it, thinking that because a vendor says an update is medium risk doesn’t mean it’s critical or not critical to your organization, thinking that because Microsoft doesn’t tell you there is a vulnerability means you are immune from attack, and thinking that keeping your system patched will keep it free from all vulnerabilities.

Tools that we recommend:

  • Secunia
  • org
  • Microsoft Baseline Security Analyzer (MBSA)
  • Missing update on Linux Devices
  • Nipper by Titania
  • Secunia PSI (Personal Software Inspector)
  • NVD Database
  • Reddit
  • exploit-db.com
  • IRC
  • HexChat

Still have questions on vulnerability management programs? Contact us today and speak to an expert.

Firewall and Router Management

Best Practices for Firewall and Router Management

This webinar is not going to provide you with specific instructions on how to configure your individual devices. However, it will provide you with the individual attributes that you need to consider when developing your router and firewall security program. In this webinar, we will focus on discussing physical devices, running operating systems, and secure traffic rules.

If your goal is to fully develop your security system, you must accept that managing the security of a physical device goes much further than the device itself. Best practices include:

  • Assigned responsibility for the management of physical devices and periodic review of the configurations must be performed
  • Defined acceptable use policies and procedures for your assets, along with acceptable technologies and acceptable locations to place them in
  • In those locations, you must ensure that they are physically secured from unauthorized access; this means that cables connecting in to and out of the devices are secure, there is limited access to directly console into devices, and there is minimal out-of-bound access points to devices

When you’re considering how to securely run operating systems, there are a few logical steps:

  • Limit logical access to only those who require it
  • Maintain a detailed list of hardening standards
  • Configure logging
  • Change all defaults (especially passwords)
  • Ensure strong encryption
  • Keep your operating system updated
  • Establish remote access console timeout
  • Configure NTP
  • Establish log-on banner
  • Disable unused interfaces
  • Ensure that loaded images are authentic
  • Restrict ICMP from untrusted interfaces
  • Enable anti-spoofing rules

When maintaining secure traffic rules, there are a few best practices including:

  • Maintain a list of approved ports and services, which management should oversee
  • Limit inbound traffic from the Internet to the DMZ
  • Limit outbound traffic to only that which is needed
  • Deny all other traffic not required
  • Generally speaking “any ” rules should not be used; rules should be as prescriptive as necessary

Listen to the full webinar to learn more about firewall and router management, listen to the Q&A portion, and view more resources. Contact us today to learn more.