8 Сентября, 2017

IoT and Enterprise Infrastructure Cybersecurity Level with SANS TOP20 CSC

Андрей Дугин
My previous note(RU) contains IoT components must be protected. Another one (RU) lists the action plan needed from IoT vendors. Let's try to evaluate IoT solutions' influence on the company infrastructure after implementation. Evaluation is qualitative and it checks enterprise for SANS TOP20 CSC list compliance.



SANS TOP20 CSC checklist demonstrate information security status of enterprise network. If you check the infosecurity level after IoT implementation you can see that it decreases. Such situation is appropriate for large enterprises (Corp) and small/medium business (SMB/SOHO) too:

Control name
Corp
SMB/SOHO
1
Inventory of Authorized and Unauthorized Devices++
2
Inventory of Authorized and Unauthorized Software+/--
3
Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers+-
4
Continuous Vulnerability Assessment and Remediation+-
5
Controlled Use of Administrative Privileges+/--
6
Maintenance, Monitoring, and Analysis of Audit Logs+-
7
Email and Web Browser Protections++
8
Malware Defenses++
9
Limitation and Control of Network Ports, Protocols, and Services+-
10
Data Recovery Capability+-
11
Secure Configurations for Network Devices such as Firewall Routers, and Switches++/-
12
Boundary Defense+/--
13
Data Protection+/--
14
Controlled Access Based on the Need to Know+/--
15
Wireless Access Control+/--
16
Account Monitoring and Control+/-+/-
17
Security Skills Assessment and Appropriate Training to Fill Gaps+/-+/-
18
Application Software Security+/-+/-
19
Incident Response and Management+/--
20
Penetration Tests and Red Team Exercises+/--

Pluses and minuses means:
+-  "real": it is possible to comply the requirement in current infrastructure status or it needs no/little change or extension.
+/-- "may be": it is possible to comply the requrement but organization needs some investments/change/extension in current situation. It also may require additional functionality support by vendor or even different solution implementation.
-- "unreal": compliant solution may cost too much to be approved by stakeholders.

The "real - unreal" asessment and conclusion is provided by author's expertise and may be different in the case of another expert evaluation. It depends on evaluated company maturity level but conclusion is common: IoT without security measures decreases cybersecurity level of any organization.
One can find the popular joke in the web:
Letter S in the IoT abbreviation means "Security" 
It is important to understand actions needed for cybersecurity risks minimization in the case of IoT implementation:
  • What is necessary to improve IoT security level to reach the corporate maturity level
  • Who must do it to make IoT solution cost rational
So, let's try to describe information security measures in case of IoT solutions implementation according to SANS TOP20 CSC requirements:

Control name
ToDo
Who
1
Inventory of Authorized and Unauthorized Devices
1. Include IoT devices to device inventory process.
1. Customer
2
Inventory of Authorized and Unauthorized Software
1. Include IoT devices to the software inventory process.
2. Implement IoT software inventory support.
1. Customer
2.Vendor
3
Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers
1. Implement security configuration management solutions for IoT infrastructure and users/admins’ devices.
2. Implement security compliance process for IoT infrastructure and users/admins’ devices.
3. IoT infrastructure secure configuration by default.
1,2.Customer
3. Vendor, solution provider
4
Continuous Vulnerability Assessment and Remediation
1. Include IoT to patch management and vulnerability management processes.
2. Patches and critical software upgrades support for IoT devices.
1. Customer
2. Vendor
5
Controlled Use of Administrative Privileges
1. Include IoT devices to admin privileges control process.
2. Implement IoT OS account control support.
1. Customer
2. Vendor
6
Maintenance, Monitoring, and Analysis of Audit Logs
1. Organize infrastructure for log management from the Internet.
2. Implement IoT OS remote log sending ability.
1. Customer
2. Vendor
7
Email and Web Browser Protections
1. IoT software and OS protection from malicious code.
Vendor
8
Malware Defenses
1. IoT software and OS protection from malicious code.
Vendor
9
Limitation and Control of Network Ports, Protocols, and Services
1. Implement security architecture for IoT devices.
2. Implement IoT network access ports control technologies and processes.
3. Implement ITGC controls for IoT network services.
Customer
10
Data Recovery Capability
1. Include IoT devices to data recovery processes.
2. Implement data recovery ability support for IoT devices.
1. Customer
2. Vendor
11
Secure Configurations for Network Devices such as Firewall Routers, and Switches
1. Implement security configuration management solutions for network devices controlling IoT.
2. Implement security compliance process for network devices controlling IoT.
Customer
12
Boundary Defense
1. Implement security architecture for IoT.
2. Implement security architecture support for IoT devices.
1. Customer
2. Vendor
13
Data Protection
1. Implement security architecture for IoT.
2. Implement IoT data management process.
3. Implement IoT configuration management process.
4. Implement IoT devices software and OS protection from malicious code.
5. Implement IoT devices software and OS ability to participate in data/configuration management process.
6. Implement security architecture support for IoT devices.
1. Customer
2. Customer
3. Customer
4. Vendor
5. Vendor
6. Vendor
14
Controlled Access Based on the Need to Know
1. Implement security architecture for IoT.
2. Implement security policy for IoT access control.
3. Implement IoT devices support for security architecture and corporate access control solution.
Customer
15
Wireless Access Control
1. Implement security architecture for IoT.
2. Implement wireless access control for IoT devices.
3. Implement security features for wireless IoT devices.
1. Customer
2. Customer
3. Vendor
16
Account Monitoring and Control
1. Implement account monitoring and control for IoT.
2. Implement account monitoring and control feature for IoT devices
1. Customer
2. Vendor
17
Security Skills Assessment and Appropriate Training to Fill Gaps
1. Trainings for staff to IoT threats mitigation.
2. IoT devices secure configuration by default.
1. Customer
2. Vendor
18
Application Software Security
1. Include IoT devices to the software security compliance process.
2. Implement IoT software secure development process.
1. Customer
2. Vendor
19
Incident Response and Management
1. Include IoT devices to incident response and management process.
2. Implement security features for IoT software.

1. Customer
2. Vendor
20
Penetration Tests and Red Team   Exercises
PenTest IoT infrastructure
Customer

The last table points that customer must meet SANS TOP20 Critical Security Controls requirements and IoT-vendor should implement ability to satisfy the needed security level. It is easy to hear but hard to do but there is no impossibility in described requirements if your enterprise uses SANS TOP20 CSC as checklist and requires it's compliance in the stage of project design for IoT solutions.

comments powered by Disqus