E-GOV Security (Part 2–Twenty Critical Cyber Defense Controls to Secure Citizen Data & Maintain Public Trust)

The National Association of State CIO’s (NASCIO) & Deloitte released findings from “ The 2010 Deloitte-NASCIO Cybersecurity Study” which found that State governments are NOT doing enough to secure citizen data and maintain public trust. In fact looking at the details of this study it’s evident that state governments have more personally identifiable information (PII) of citizens than any other organizations.

State governments fund security less than other entities and often CISO’s lack enforcement authority for broad security enforcement throughout the government. The funding problem results in shortage of IT security personnel. The study shows that only 2% of state governments have more than 50 information security FTEs compared to 48.5% for similar sized organizations.

While many state CISO’s at the state have adopted NIST standards for risk assessment, most state governments still do not adhere to enforcement mandates or audit compliance like FISMA (Federal Information Security Management Act) which is enforced at the federal government level. The irony is that adopting better security standards can actually save SLG money on IT procurement and daily management and operations.

According to Gartner's, 2008 " Case Study: Air Force Commodity Councils Take Aim at Mission Effectiveness ": The U.S. Air Force adopted new security standards including the Federal Desktop Core Configuration (FDCC) & utilization of a Microsoft support agreement which helped

• Speed up implementation of critical enterprise wide security standards
• Save approximately $156 million in hardware costs
• Enforce enterprise-level cybersecurity policies
• Timely distribution of software updates & configuration management
• Save $100+ million in software licenses & other life cycle costs

In all the USAF achieved better security and saved more than $256 million in 4 years by simply implementing stricter security standards and reining in spending for procurements and excessive IT staff by reducing the number of required systems administrators required to manage systems.

SLG needs to first improve security by implementing the Twenty Critical Controls for Effective Cyber Defense . Few SLG agencies have adopted ALL of these safeguards and as a result we are losing the “Cyber War” in state and local government and subject to threats and data loss potential that could dwarf by magnitudes that which was released by Wikileaks.org.

Automation and software can be mapped to the controls as well in order to combat back and gain the tactical advantage in cyberspace while implementing these controls. In an effort to simplify adoption, SANS has mapped a list of generically user-vetted tools here, however there are a number of Microsoft Cloud & On-Premise technologies that map to each of these 20 Critical Controls:

1. Inventory of Authorized and Unauthorized Devices

• Microsoft System Center Configuration Manager (SCCM)- Hardware Inventory
• System Center Online Asset Inventory Service (AIS)
• Windows Intune (In the Cloud)
• Microsoft Assessment and Planning (MAP) Toolkit

Inventory of Authorized and Unauthorized Software

• Microsoft System Center Configuration Manager (SCCM)- Software Inventory
• Windows 7 AppLocker
• Software Restriction Policies (Active Directory GPO)
• Microsoft Software Inventory Analyzer (MSIA) – Free Tool

2. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

• Federal Desktop Core Configuration (FDCC) Image
• Microsoft Active Directory GPOs & Security Guidance
• Microsoft Security Compliance Manager(Central Security Baseline Management)
• Microsoft System Center Configuration Manager (SCCM)| Desired Configuration Manager

3. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

• 802.1X Wired Authentication
• 802.1X Wireless Authentication
• Network Access Protection (NAP) | Cisco Network Access Control (NAC)

4. Boundary Defense

• Microsoft Threat Management Gateway (TMG)
• Microsoft Unified Access Gateway (UAG)

5. Maintenance, Monitoring, and Analysis of Security Audit Logs

• Microsoft System Center Operations Manager (SCOM)
• Audit Collection Services

6. Application Software Security

• Microsoft Security Development Lifecycle (SDL)
• SDL Threat Modeling Tool
• Banned.h (Header file to sanitize code listing banned APIs)
• FxCop (Static code analysis of .NET)
• Code Analysis for C/C++
• Anti-XSS Library (Mitigates Cross Site Scripting)
• BinScope Binary Analyzer (Free Tool)
• MiniFuzz (Free Tool)
• SDL Regex Fuzzer (Free Too)
• AppVerifier (Free Tool)
• Visual Studio 2010
• Microsoft Threat Management Gateway (TMG)
• Microsoft Unified Access Gateway (UAG)

7. Controlled Use of Administrative Privileges

• Microsoft Active Directory
• Microsoft System Center Configuration Manager

8. Controlled Access Based on Need to Know

• Windows Server 2008 R2 File Classification Infrastructure (FCI)
• AD Rights Management Services (RMS)
• Microsoft Active Directory

9. Continuous Vulnerability Assessment and Remediation

• System Center Configuration Manager (SCCM) – Software Update Management
• Microsoft Software Update Services (WSUS)
• Shavlik (SCUPdates) – System Center (SCCM) deployment of updates for both Microsoft & 3^rd party applications
• Eminentware – Simplify 3^rd party patch management via WSUS and SCCM
• Secunia (Corporate Software Inspector - CSI) integrates with WSUS and SCCM for 3^rd party patch management
• Forefront Endpoint Protection 2010 (FEP)

10. Account Monitoring and Control

• Microsoft System Center Operations Manager (SCOM)
• Audit Collection Services
• Microsoft Windows Event Log

11. Malware Defenses

• Forefront Endpoint Protection 2010 (FEP)
• Microsoft Forefront Protection for Exchange
• Microsoft Forefront Protection for SharePoint
• Microsoft Forefront Security for OCS
• Microsoft Forefront Threat Management Gateway (TMG)
• Microsoft Forefront Online Protection for Exchange (FOPE)

12. Limitation and Control of Network Ports, Protocols, and Services

• Forefront Endpoint Protection 2010 (FEP)
• System Center Configuration Manager (SCCM) – Desired Configuration Management
• Windows Firewall
• Microsoft Forefront Threat Management Gateway (TMG)
• Microsoft Forefront Unified Access Gateway (UAG)

13. Wireless Device Control

• 802.1X Wireless Authentication
• Microsoft Internet Authentication Service

14. Data Loss Prevention

• AD Rights Management Services (RMS)
• RSA Data Loss Prevention (integrates with RMS)
• Microsoft Forefront Unified Access Gateway (UAG)- HTTP redaction & Attachment Wiper
• BitLocker Drive Encryption

15. Secure Network Engineering

• Microsoft Consulting Services (MCS)

16. Penetration Tests and Red Team Exercises

• Microsoft IT Attack & Penetration Testing Case Study

17. Incident Response Capability

• Microsoft Security Development Lifecycle (SDL)
• Microsoft Services Premier Support

18. Data Recovery Capability

• Microsoft System Center Data Protection Manager (DPM)
• Volume Shadow Copy Service (VSCS)
• Windows System Restore

19. Security Skills Assessment and Appropriate Training to Fill Gaps

• Microsoft Security Guidance on TechNet
• Microsoft Security Development Lifecycle (SDL)
• Microsoft E-Learning

Microsoft  has solutions, products and technologies that map into each of these weak control  areas identified by the NSA & NIST, and many of them are already licensed by SLG agencies or free  downloads but  many controls still have yet to be deployed.  State and local governments agencies may drastically improve security while saving money by implementing these security controls holistically rather than piecemeal as historically has been the case.