Cybersecurity is one of the highest national priorities in the US. In order to preserve cybersecurity, legislation such as the FISMA (Federal Information Security Management Act) has been substantially updated to improve capacity for preventing, detecting and responding to threats. Ongoing updates to legislation seem to suggest a shift from simply demanding compliance to adoption of a continuous monitoring model.
What is Continuous Monitoring?
In contrast to traditional monitoring processes, which use only a small sample of events, continuous monitoring audits the system during or immediately after they occur.
What is being monitored?
1. Primary Monitoring – this involves security controls. The primary focus looks at hardware, software and firmware.
2. Secondary Monitoring – this type of monitoring is concerned with the operational environment. Secondary foci would include the environment, mission and policy/regulations.
3. Changes to the systems
Key stages in the continuous monitoring process include the following:
- Identify the control rule for each control point.
- Establish a test that validates each control rule.
- Establish tests to identify problematic transactions.
- Test transactions regularly.
- Identify transactions that fail the tests. Notify the appropriate individuals within the organization of failures.
- Investigate failed transactions and act to correct the transactions or control problem.
Continuous Auditing vs. Continuous Monitoring
Both continuous auditing and continuous monitoring aim to provide organizations with more transparency through accurate, timely reporting practices. Continuous auditing is the automated collection of audit indicators from the IT systems, transactions, processes and controls on a continuous basis. This may be carried out by an internal or external auditor. Continuous auditing can serve as a means to detect control failures earlier than other reporting approaches.
By contrast, continuous monitoring is an automated feedback system that reports on the operation of systems and controls. This is analyzed by management to identify gaps or irregularities which may indicate control failures.
SANS Security Controls
Twenty critical security controls were developed by SANS (the SysAdmin, Audit, Network, Security Institute), in collaboration with hundreds of other groups, including the Department of Defense, civilian federal agencies and cybersecurity experts. The SANS controls have been developed in order to reinforce concerns of US cybersecurity legislation, such as the FISMA, in addition to other government documentation, including NIST SP 800-53, SCAP (Security Content Automation Protocol) and FDCC (Federal Desktop Core Configuration). These controls are generally the highest priority concerns of most security professionals.
Each critical control is associated with a series of tests that should be conducted either on a periodic or a continual basis. The following are the security control categories, along with a brief explanation of the potential risk it addresses, as well as how the control can be implemented and measured. The first fifteen categories are critical controls subject to automated collection, measurement and validation.
1. Inventory of authorized and unauthorized devices
- Risk: New and unprotected systems are vulnerable to exploitation. They may enable attackers to access the information deeper within the organization.
- Implementation: Maintenance of accurate and up-to-date inventories, utilizing inventory monitoring tools. Inventories should include removable media devices, USB tokens, external hard drives and other information storage devices.
- Measurement: Connect hardened test systems to the network, to ensure that they are automatically isolated.
2. Inventory of authorized and unauthorized software
- Risk: Certain versions of software are vulnerable to exploitation, such as backdoor programs, bots and zero-day exploits.
- Implementation: Develop a list of authorized software. Use software inventory tools to track the type, version and patch level of software installed on each system in the organization.
- Measurement: Introduce a benign software test program.
3. Secure configurations for hardware and software on laptops, workstations and servers
- Risk: Default configurations often do not provide an adequate level of security.
- Implementation: Document security settings of system images.
- Measurement: Detect unauthorized changes. Use file integrity checking tools and system scanning tools.
4. Secure configurations for network devices (e.g. firewalls, routers, switches)
- Risk: Overtime, network devices may be less securely configured.
- Implementation: Compare network device configuration against standard secure configurations.
- Measurement: Use changes to network devices to test for alert and isolation. Test that protocols (e.g. IPv6) are being filtered correctly.
5. Boundary defense
- Risk: Weaknesses in configuration or architecture on perimeter systems or network devices can give attackers access into the system.
- Implementation: Communications should be limited to trusted sites and pass through at least one proxy.
- Measurement: Test boundary devices by sending and accepting packets through the boundary.
6. Maintenance, monitoring and analysis of security audit logs
- Risk: Flaws in security logging and analysis may help attackers disguise location, activities and malicious software on machines.
- Implementation: Validate audit logs for hardware and software installed on it.
- Measurement: Review security logs from network devices, servers and hosts.
7. Application software security
- Risk: Application software that has security flaws could allow attackers to introduce buffer overflows, SQL injection attacks, cross-site scripting, etc.
- Implementation: Test internally developed and third-party web and application software. Use web application firewalls to inspect traffic.
- Measurement: Test with a web application vulnerability scanner. Use static code analysis tools and database configuration review tools.
8. Controlled use of administrative privileges
- Risk: Uncontrolled administrative privileges can allow attackers to take over a machine or elevate administrative privileges.
- Implementation: Keep an inventory for all administrative passwords. Ensure that all those with administrative privileges have the appropriate authorization.
- Measurement: Verify enforcement of password policy.
9. Controlled access based on need to know
- Risk: Sensitive data that is mixed with less sensitive data may be easily compromised, since the level of access is the same.
- Implementation: Develop a multi-level data separation scheme.
- Measurement: Test that accounts with limited privileges are unable to access the same files as those with more privileges.
10. Continuous vulnerability assessment and remediation
- Risk: Delays in finding or repairing software with vulnerabilities can allow attackers to gain control and/or access sensitive information.
- Implementation: Vulnerability scanning tools should be used on all systems. Results should be compared to determine if vulnerabilities have been addressed.
- Measurement: Verification of application vulnerability scanning.
11. Account monitoring and control
- Risk: Inactive user accounts may be vulnerable to impersonation and unauthorized access.
- Implementation: System accounts should be reviewed regularly. Accounts that are dormant should be disabled.
- Measurement: Evaluation should be conducted on accounts that have been locked out or disabled, as well as those with expired passwords.
12. Malware defenses
- Risk: Malware can tamper with data stored on a system, capture sensitive information and transmit it to other systems.
- Implementation: Workstations, servers and mobile devices should have anti-virus, anti-spyware and host-based intrusion prevention systems.
- Measurement: Test with benign malware to ensure systems are able to promptly identify, block and quarantine it.
13. Limitation and control of network ports, protocols and services
- Risk: Poorly configured web servers, mail servers, DNS servers and file and print services may give attackers remote access.
- Implementation: Apply host-based firewalls or port filtering tools on end systems.
- Measurement: Install test services with network listeners randomly on the network.
14. Wireless device control
- Risk: Wireless devices are often remotely exploited when used outside the organization.
- Implementation: Each wireless device on the network must have an authorized configuration and security profile.
- Measurement: Wireless clients and access points should be tested for vulnerabilities in various scenarios.
15. Data loss prevention
- Risk: Data leakage may be a result of a variety of attacks (e.g. physical theft, data transfers across the network).
- Implementation: Network monitoring should examine outbound traffic. Laptops with sensitive data should have encrypted hard drives.
- Measurement: Test data should be moved across network boundaries in a variety of scenarios.
The last five control categories are indirectly supported by automated measurement and validation. They include:
16. Secure network engineering
17. Penetration tests and red team exercises
18. Incident response capability
19. Data recovery capability
20. Security skills assessment and appropriate training
Example of Continuous Monitoring
An example of a continuous monitoring system in action is the recently-introduced CyberScope tool, which is currently being used by US federal agencies. With CyberScope, agency personnel send in real-time reports and questionnaires on their agency’s IT security status. This replaces the previous practice of sending in annual paperwork and reports, which were costly, time-consuming and provided limited or outdated data. CyberScope was developed in order to move IT security management from simply achieving compliance, to a model of continuous monitoring and situational awareness.
This article explores the concept of continuous monitoring, a current approach to IT security management. Continuous monitoring can improve the quality of information security by providing up-to-date and meaningful information to decision makers. Unlike traditional monitoring, which can only provide a limited snapshot of the security situation within an agency or organization, continuous monitoring strategies are more dynamic. The article also looks at the SANS security controls, which represent the priority concerns of security professionals today.
In preparation for the Certified Information Privacy Professional/US Government exam, a privacy professional should be comfortable with topics related to this post, including:
- Federal Information Security Management Act of 2002 – FISMA (I.C.f.)
- Federal agency performance (I.C.f.i.3.)
- US government privacy program development (II.A.a.)
- Auditing and compliance monitoring (II.B.c.)