Monday, May 23, 2016

PCI DSS v3.2 Spreadsheet Format

PCI DSS v3.2 Spreadsheet loaded here: https://sites.google.com/site/cloudauditcontrols.

May not be used for commercial purposes.

Monday, May 2, 2016

NIST to PCI DSS 3.1 Raw Map

Raw map. Details will be provided later. We feel this draft was very close. It's currently undergoing review by another external QSA and we have found just a few things to update. 

CONTROLS CONTROL NAME        PCI DSS-MAP
AC-01 Access Control Policy And Procedures 1.1, 7.1, 7.1.4, 7.3, 8.4, 8.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.5
AC-02 Account Management 1.1.5, 2.1, 6.3.1, 6.4.4, 7.1, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.1, 7.2.2, 7.2.3, 8.1.3, 8.7, 8.1.4, 10.2, 10.2.5, 8.1.8, 8.5, 8.5.1, 8.6, 8.1.5, 10.6, 10.6.1
AC-03 Access Enforcement 7.1, 7.1.2, 7.2, 7.2.1, 7.2.2, 7.2.3, 8.1.5, 8.3, 10.4.2, 1.1.5
AC-04 Information Flow Enforcement 1.1.3, 1.1.4, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8
AC-05 Separation Of Duties 6.4.2
AC-06 Least Privilege 1.1.5, 7.1, 7.1.2, 7.1.4, 10.4.2, 7.1.1, 7.1.3, 10.2.2, 10.2.5
AC-07 Unsuccessful Login Attempts 8.1.6, 8.1.7
AC-11 Session Lock 8.1.8, 12.3.8
AC-12 Session Termination 8.1.8, 6.5.10, 12.3.8
AC-17 Remote Access 8.1.5, 12.3.8, 12.3.9, 12.3.10, 12.5.5, 2.3, 7.1, 7.1.1, 7.1.2, 7.1.3, 12.3
AC-18 Wireless Access 1.1.2, 2.1.1, 4.1.1, 12.3
AC-19 Access Control For Mobile Devices 4.2, 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7
AC-20 Use Of External Information  Systems 7.1.4, 12.8.2, 12.3, 4.2
AC-25 Reference Monitor 6.5.8
AT-01 Security Awareness And Training Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.6
AT-02 Security Awareness Training 12.6.1
AT-03 Role-Based Security Training 12.6.1, 6.5, 9.9.3, 9.10
AT-04 Security Training Records 12.6.2
AU-01 Audit And Accountability Policy And Procedures 10.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
AU-02 Audit Events 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, A-1.3
AU-03 Content Of Audit Records 10.1, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, A-1.3
AU-04 Audit Storage Capacity 10.7, 10.5.4
AU-05 Response To Audit Processing Failures DE-3.1, DE-3.3, DE-5.1
AU-06 Audit Review, Analysis, And Reporting 10.6.3, 12.10.1, 12.10.5, A-1.3, 10.6, 10.6.1, 10.6.2, 10.5.1, 10.5.2
AU-07 Audit Reduction And Report Generation 10.6
AU-08 Time Stamps 10.3.3, 10.4, 10.4.1, 10.4.3
AU-09 Protection Of Audit Information 10.5, 10.5.1, 10.5.2, 10.5.3
AU-11 Audit Record Retention 5.2, 10.7
AU-12 Audit Generation 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.1, 10.3, 10.3.6, 10.5.1
CA-01 Security Assessment And Authorization Policy And Procedures 11.6, 12.1, 12.1.1, 12.2, 12.3, 12.4, 12.5.1
CA-02 Security Assessments 6.3, 11.1, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 12.2
CA-03 System Interconnections A-1.2, DE-2.2, DE-3.3, 1.2.1
CA-05 Plan Of Action And Milestones 6.2, 11.2, 11.3, DE-1.1, DE-3.2
CA-06 Security Authorization 6.4.5.2, 7.1.4, 12.3.1, 1.3.8, 3.5.1, 3.5.3, 6.4.5, 7.1
CA-07 Continuous Monitoring 11.2, 11.3, DE-1.2, DE-1.3, DE-3.3, 11.2.1, 11.2.2, 11.2.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4
CA-08 Penetration Testing 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4
CA-09 Internal System Connections 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.6
CM-01 Configuration Management Policy And Procedures 1.1, 2.5, 6.7, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
CM-02 Baseline Configuration 1.1.2, 1.2.2, 2.2, 2.2.4, 1.1.7, 6.4.5.4
CM-03 Configuration Change Control 1.1.1, 6.4, 6.4.5, 6.4.5.2
CM-04 Security Impact Analysis 6.4.5, 6.4.5.1, 6.4.5.3, 6.6, DE-2.1, DE-2.2, DE-2.2.1, DE-2.3, DE-2.4, DE-2.5, DE-3.3, 6.4, 6.4.1
CM-05 Access Restrictions For Change 6.4.2, 7.1.2
CM-06 Configuration Settings 2.2, 2.2.3, 2.2.4, 8.7
CM-07 Least Functionality 2.2.1, 2.2.2, 2.2.5, 6.6, 1.1.6
CM-08 Information System Component Inventory 2.4, 9.9.1, 11.1.1
CM-09 Configuration Management Plan 2.2
CP-01 Contingency Planning Policy And Procedures 12.10.1, 12.10.6
CP-02 Contingency Plan 12.10.1, 12.10.3, 12.10.6, 12.3.3
CP-03 Contingency Training 12.10.4
CP-04 Contingency Plan Testing 12.10.4
CP-09 Information System Backup 9.5.1, 12.10.1
CP-10 Information System Recovery And Reconstitution 6.4.5.4
IA-01 Identification And Authentication Policy And Procedures 8.1, 8.2, 8.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.4
IA-02 Identification And Authentication (Organizational Users) 8.1.1, 8.2, 8.3
IA-03 Device Identification And Authentication 9.1.2
IA-04 Identifier Management 8.1.1, 8.1.2, 12.5.4, 7.1.4, 12.3.10, 8.5.1
IA-05 Authenticator Management 2.1, 2.1.1, 2.2, 6.4.4, 8.2.1, 8.2.2, 8.4, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 4.1, 6.3.1
IA-06 Authenticator Feedback 6.5.5
IA-08 Identification And Authentication (Non-Organizational Users) 8.5.1
IR-01 Incident Response Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.3
IR-02 Incident Response Training 12.10.4
IR-03 Incident Response Testing 12.10.2
IR-04 Incident Handling 11.1.2, 12.10.4, 12.10.6
IR-05 Incident Monitoring 12.10.6
IR-06 Incident Reporting 12.10.1
IR-07 Incident Response Assistance 12.5.3
IR-08 Incident Response Plan 12.10, 12.10.1, 12.10.3, A-1.4
MA-01 System Maintenance Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
MA-02 Controlled Maintenance 1.1.1, 6.5.4, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, DE-2.2.1, DE-3.3
MA-04 Nonlocal Maintenance 8.1.5, 8.3, 8.5.1, 12.3.8, 12.3.9
MA-05 Maintenance Personnel 12.8.3
MP-01 Media Protection Policy And Procedures 9.6, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
MP-02 Media Access 9.7
MP-03 Media Marking 9.6.1
MP-04 Media Storage 9.5, 9.6.3, 9.7, 9.7.1
MP-05 Media Transport 9.6.2
MP-06 Media Sanitization 9.8, 9.8.1, 9.8.2
MP-07 Media Use 12.3, 12.3.5
PC-01 Limit Cardholder Data Storage 3.1
PC-02 Sensitive Authentication Data 3.2,3.2.1,3.2.2,3.2.3
PC-03 Displayed Primary Account Number 3.3
PC-04 Stored Primary Account Number 3.4,3.4.1
PC-05 Cryptographic Key Protection 3.5,3.5.1,3.5.2,3.5.3
PC-06 Cryptographic Key Management Processes 3.6,3.6.1,3.6.2,3.6.3,3.6.4,3.6.5,3.6.6,3.6.7,3.6.8
PC-07 Stored Cardholder Data Protection Policies 3.7
PC-08 Remove Common Coding Vulnerabilities 6.5,6.5.1,6.5.2,6.5.3,6.5.4,6.5.5,6.5.6,6.5.7,6.5.8,6.5.9,6.5.10
PE-01 Physical And Environmental Protection Policy And Procedures 9.10, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PE-02 Physical Access Authorizations 9.2, 9.3, 9.4, 9.4.1, 9.4.2, 9.4.3
PE-03 Physical Access Control 9.1, 9.1.1, 9.1.2, 9.1.3, 9.2, 9.9, 9.9.2
PE-04 Access Control For Transmission Medium 9.1.2, 9.1.3
PE-05 Access Control For Output Devices 12.3, 9.5, 12.3.3, 12.3.4
PE-06 Monitoring Physical Access 9.1.1
PE-08 Visitor Access Records 9.4.4
PL-01 Security Planning Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PM-01 Information Security Program Plan 12.1, 12.1.1, 12.5
PM-02 Senior Information Security Officer 12.5
PM-04 Plan Of Action And Milestones Process DE-3.2
PM-05 Information System Inventory 2.4, 9.9.1, 11.1.1
PM-08 Critical Infrastructure Plan 12.2, 12.3
PM-09 Risk Management Strategy 12.2
PM-10 Security Authorization Process 12.3.1
PM-11 Mission/Business Process Definition 12.2
PM-13 Information Security Workforce DE-1.3, DE-3.3
PM-14 Testing, Training, And Monitoring 12.10.4
PM-15 Contacts With Security Groups And Associations 12.5.2, 6.1
PS-01 Personnel Security Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PS-02 Position Risk Designation 7.1
PS-03 Personnel Screening 12.7
PS-04 Personnel Termination 9.3
PS-06 Access Agreements 12.3.5
RA-01 Risk Assessment Policy And Procedures 6.1, 6.3.2, 6.5.6, 6.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.6, 12.1, 12.1.1, 12.2, 12.3, 12.4, 12.5.1
RA-02 Security Categorization 3.1, DE-2.5, DE-2.5.1
RA-03 Risk Assessment 6.1, 6.3.2, 6.5.6, 6.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 12.2, DE-2.2
RA-05 Vulnerability Scanning 6.3.2, 11.2, 11.2.1, 11.2.2, 11.2.3
SA-01 System And Services Acquisition Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SA-04 Acquisition Process 6.3
SA-09 External Information System Services 2.6, 8.5.1, 12.8, 12.8.2, 12.8.5, A-1, A-1.2, 12.8.3, 12.8.4, 12.8.1, 12.9
SA-10 Developer Configuration Management 6.3.2, 6.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4
SA-11 Developer Security Testing And Evaluation 6.3, 6.3.2, 6.5.3
SA-15 Development Process, Standards, And Tools 6.4.3
SA-18 Tamper Resistance And Detection 9.9, 9.9.2
SC-01 System And Communications Protection Policy And Procedures 1.5, 3.7, 4.3, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SC-02 Application Partitioning 8.7
SC-07 Boundary Protection 1.1.4, 1.2.3, 1.3.4, 6.6, 1.2, 1.1.2, 1.2.1, 1.3.1, 1.3.2, 1.3.3, 1.4, A-1.1
SC-08 Transmission Confidentiality And Integrity 4.1, 4.1.1, 6.5.4
SC-10 Network Disconnect 8.1.8, 12.3.8
SC-12 Cryptographic Key Establishment And Management 3.5, 3.5.1, 3.5.2, 3.5.3, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8
SC-13 Cryptographic Protection 3.5, 3.6, 4.1, 4.2, 4.3
SC-28 Protection Of Information At Rest 3.4, 3.7, 6.5.3
SC-39 Process Isolation A-1.1
SC-43 Usage Restrictions 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7
SI-01 System And Information Integrity Policy And Procedures 5.4, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SI-02 Flaw Remediation 6.1, 6.2, 6.5.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3.3
SI-03 Malicious Code Protection 5.1, 5.1.1, 5.1.2, 5.2, 5.3, 6.6, 11.4, DE-5.1
SI-04 Information System Monitoring 6.6, 11.4, DE-5.1, 5.2, 12.10.5, 11.1, 10.6, 10.6.1, 10.6.2
SI-05 Security Alerts, Advisories, And Directives 12.5.2
SI-07 Software, Firmware, And Information Integrity 10.5.5, 11.5, 11.5.1, 10.5, 12.10.5
SI-10 Information Input Validation 6.5.1, 6.5.2, 6.5.7, 6.5.9
SI-11 Error Handling 6.5.5
SI-12 Information Handling And Retention 3.1

Wednesday, April 20, 2016

Document Access

Working some things out – temporarily disabled… Directly contact me if there's something that you need. Davischr2@Gmail.com. You can also contact me using my VMware email address, ChrisDavis@VMware.com.

Quick and Dirty Cloud Assessment

Some of you guys have insane resources, capital, people, that you can throw at the problem until it's solved.

Unfortunately, that's not all of you. Or maybe it IS you, but you're not going to spend anymore time than necessary to make sure that you have the basics covered.

Here's the short list.

1. Review the following list of security solutions and make sure that you have answers for each one of the security solutions/products that apply to you.

http://www.cloudauditcontrols.com/p/requirements-checklist.html

2. Find the hardening guide for each one of the products that you have installed and make sure you focus on reducing the attack surface and exploitability of the systems by implementing moderate to complete hardening on the systems.

3. Ensure that you have basic segmentation implemented to protect multitier applications.

4. Implement traffic filtering for external-facing applications. I'm a big fan of these guys. No affiliation whatsoever. Look at some of the other offerings that they have as well.

https://www.incapsula.com/website-security/https://www.incapsula.com/website-security/

If you want one of the best peer-reviewed security standards that I believe is actionable and reasonable to implement, consider PCI DSS. There is some overlap between some of the requirements. It still requires a moderate amount of interpretation. I've done a tremendous amount of work in and around the standard, and I'm not speaking flippantly or borrowing from someone else's opinion when I state these things.

Here's a short blog post that contains distilled requirements that I consider must-haves:

http://www.cloudauditcontrols.com/2012/03/practices-for-protecting-management.html

5. Final additional considerations not required specifically by most regulations and standards. [a] Consider Network Behavior Anomaly Detection such as Fire Eye. [b] Consider white listing, sandboxing, persistence, and other measures to limit attack surface, attack vectors, escalations, attack persistence.

This is typically when I tell organizations that are uncomfortable making product decisions to engage a reputable security-focused reseller. Of course I have my favorites for different situations. But I don't know your environment. My brother founded and runs https://www.criticalstart.com. I've used some of his guys in the past for different assessments. Good work. Another couple that I like are https://www.redlegg.com and https://depthsecurity.com. Both founded by stand-up guys that care about the customer and care about getting it right.

Tuesday, April 5, 2016

CVE Analysis Spreadsheet - 2015 through 2016 Q1


Here's a dump of the CVE's from January 2015 through March 2016 with a quick search feature. Simply input minimum CVSS score, any search terms under description, vendor, or product, and it immediately counts combined matches. For example, the number of vulnerabilities from Microsoft with a CVSS score greater than 4 is 628. Apple has 613.

Simply navigate to the documents tab and look for CVE Analysis spreadsheet.

Wednesday, March 9, 2016

Friday, February 19, 2016

NIST Cyber Security Framework (CSF) Excel Spreadsheet

NIST Cybersecurity Framework Excel Spreadsheet

Go to the documents tab and look under authorities folder. Contains properly split-out table, database import sheet, search, and blind reverse map to 800-53r4.

Document: NIST Cybersecurity Framework.ver.xx
Documents Site: https://sites.google.com/site/cloudauditcontrols 

Wednesday, February 17, 2016

Excel Spreadsheet: HHS-ONC Security Risk Assessment Tool & HIPAA Security Rule Toolkit

Posting Excel spreadsheets of the Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool (https://www.healthit.gov/providers-professionals/security-risk-assessment-tool) and the NIST-provided HIPAA Security Rule Toolkit (http://scap.nist.gov/hipaa/).

You can download Controls_HIPAA.ver.01c.xlsx under the Documents tab which takes you here: https://sites.google.com/site/cloudauditcontrols/.

Friday, February 5, 2016

Why you need to read the Summary of NIST SP 800-53 Revision 4

This is the most concise list of answers I've seen to the most commonly asked questions and misconceptions my customers, peers, and students have about NIST SP800-53r4.

http://csrc.nist.gov/publications/nistpubs/800-53-rev4/sp800-53r4_summary.pdf

Just read the table of contents for a readout on those topics... It will look as if someone is reading my email! Nice work Kelly, Greg, and Doug.

Summary of NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
Kelley Dempsey
Computer Security Division Information Technology Laboratory
Greg Witte
Doug Rike G2, Inc. Annapolis Junction, MD
February 19, 2014
Table of Contents

1 Introduction
2 NIST SP 800-53 Revision 4 and the Risk Management Framework (RMF)
3 Control Baselines and Tailoring
4 Documenting the Control Selection Process
5 Assurance
6 Security Controls
7 International Information Security Standards
8 Overlays
9 Privacy

Here's how I loosely explain it.
  • [Introduction] 800-53 was put in place to define controls for federal systems. Controls keep bad things from happening.
  • [RMF] This assumes the use of the Risk Management Framework. You cannot get away from this. Learn and use it. Repeatedly.
  • [Baselines and Tailoring] The baselines are not meant to be blindly applied. They must be tailored for your situation.
  • [Documentation] Document everything.
  • [Assurance] Systems assurance helps you sleep at night.
  • [Controls] Security controls enable you to protect your systems from bad stuff.
  • [International] Yes!! There is a tremendous amount of overlap between these recommendations and international ISO-IEC recommendations. Look at how they line up! Perfectly? No. But wave your hands and explain it away. Don't do that... that's a joke. Seriously. Don't do that.
  • [Overlays] NIST understands they don't cover every situation and expect you to document additional protections they don't cover. Call these overlays.
  • [Privacy] Here's an example overlay.
On my wish list is a NIST for Dummies explained using Legos...

Wednesday, February 3, 2016

DRAFT Automation Support for Security Control Assessments

Here is a draft release that came out tonight for public review. This is solid. Well-thought out. Really looking forward to where this goes, and I'm going to be following this closely.

\\

**NIST IR 8011: DRAFT Automation Support for Security Control Assessments**
http://csrc.nist.gov/publications/drafts/nistir-8011/nistir_8011_ipd-draft_vol1_overview.pdf

[From Executive Summary]
Evolving threats create a challenge for organizations that design, implement, and operate complex information systems containing many moving parts. The ability to assess all implemented information security controls as frequently as needed using manual procedural methods has become impractical and unrealistic for most organizations due to the sheer size, complexity, and scope of their information technology footprint. Additionally, the rapid deployment of new technologies such as mobile, cloud, and social media brings with it new risks that make ongoing manual procedural assessments of all controls impossible for the vast majority of organizations. Today there is broad agreement in the information security community that once an information system is in production, automation of security control assessments1 is needed to support and facilitate near real-time information security continuous monitoring (ISCM).

[From Introduction]
Automated assessments have the potential to provide more timely data about security control defects (i.e., the absence or failure of a control), better enabling organizations to respond before vulnerabilities are exploited. Additionally, automated security control assessment has the potential to be less expensive and less human resource-intensive than manual procedural testing. Any realized savings could free up resources to be used on other activities, for example, investing in additional safeguards or countermeasures or responding to security defects and incidents in a more timely manner.

[Planned Volumes]
Volume 1 Automation Support for Security Control Assessments
Volume 2 Hardware Asset Management (HWAM)
Volume 3 Software Asset Management (SWAM)
Volume 4 Configuration Settings Management
Volume 5 Vulnerability Management
Volume 6 Boundary Management (Physical, Filters, and Other Boundaries)
Volume 7 Trust Management
Volume 8 Security-Related Behavior Management
Volume 9 Credentials and Authentication Management
Volume 10 Privilege and Account Management
Volume 11 Event (Incident and Contingency) Preparation Management
Volume 12 Anomalous Event Detection Management
Volume 13 Anomalous Event Response and Recovery Management