Risk Self-Evaluation Spreadsheet [Shared]
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
Still loading...
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
Tiny URL:https://goo.gl/9x1NdQ Securing Commodity IT Doc:http://trustedci.org/guide/docs/commodityITAssessment Date: yyyy-mm-dd
2
SectionRiskGoalRecommended ControlMitigated?Comments
3
POLICY AND PROCEDURES
4
2.1Poor credential management by users can lead to compromise by an attacker. Resources can be used for unacceptable/illegal purposes.Ensure users are aware of their responsibilities when using IT resources.Have a published acceptable use policy that all users are required to accept and uphold.
5
2.2Implementation of security procedures can be overlooked or conflicting implementations can be put in place.Make certain IT staff are knowledgeable of and support security policy, requirements, and procedures.Designate an Information Security Officer for your project, with clear responsibilities, authority, and relationships to project leadership and personnel. Develop and communicate project wide security policies and procedures to staff.
6
2.3Mistakes and omissions can occur when people are unsure of what is required of them, therefore creating inefficiencies that cost time and money.Ensure IT staff have a clear understanding of their role, function, and responsibilities.Maintain and communicate roles and responsibilities for all IT staff.
7
2.4IT assets that are not documented are at greater risk of becoming targets for attackers. Neglect can result in the lack of critical OS/service patches, unused/dormant accounts targeted, and insufficient monitoring to alert IT staff of active attacks.Maintain an accurate inventory of IT infrastructure.Develop and maintain a complete inventory of IT assets. Tools such as nmap can be used to discover host and services on a network.
8
2.5Ineffective or delayed emergency response may cause incidents to continue unmitigated, increasing the impact of a compromise.Respond effectively to security events.Develop and communicate an incident response plan to operational staff. Test the plan on an annual basis to ensure plan completeness and to make adjustments as needed.
9
2.6Intruders may install a variety of tools and destroy data. It can be impossible to determine whether intruder tools have been completely removed.Recover quickly from damage.Hosts which are known to be compromised should be rebuilt from a known good image. Keep regular backups of system configurations and user data to ensure restoration of services and data.
10
HOST PROTECTION
11
3.1Exploits against known vulnerabilities may provide remote and local privilege escalation allowing an attacker to gain root or privileged access to a resource.Keep patches up to date.Apply patches as soon as possible.
12
3.2Changes and patches may expose a security vulnerability that was previously closed.Ensure information systems are secure after patching.Test systems with vulnerability assessment tools to verify that patches and changes work as expected and have not introduced new security issues. Common vulnerability testing tools to consider: Nessus, OpenVAS, Metasploit.
13
3.3Inconsistent procedures to update systems may result in vulnerable systems.Proper Configuration Management.Use a centralized configuration management tool to ‘push’ new configuration files to hosts on the network.
14
3.4Unnecessary services introduce weaknesses. Default software installations often start up services that are not needed. These services may be used to garner information about the system, or may have a default configuration that allows unintentional access to a system.Disable/remove unnecessary services.Services should be audited on installed systems. If possible, start with all services disabled and add the ones that are required. Or, at a minimum, services that are not required should be disabled.
15
3.5System installers often install numerous setuid/setgid programs that are unnecessary, and in some case introduce vulnerabilities, which enable privilege escalation.Eliminate unnecessary setuid/setgid programs.setuid/setgid programs which are not needed for proper functioning of the system should be removed or disabled. Those that are needed should be evaluated for vulnerability and configuration issues.
16
3.6Services designed to work within a particular trust boundary sometimes have vulnerabilities, which can be exploited across those boundaries.Restrict access to services.Services that are only to be accessed from within a trust boundary (e.g. only hosts on the same cluster) should have access restricted to those hosts only. Even if the service does not have a known vulnerability, it should be restricted only to the hosts/networks here it is needed. Where access is allowed across trust boundaries, a strong authentication mechanism should be used to authenticate hosts or users. For example, host based SSH authentication should be restricted to nodes within a cluster.
17
3.7Networks are commonly monitored by attackers. Any network outside of local control must be assumed to be monitored. Cleartext authentication credentials can be intercepted across networks.Protect authentication credential.Use strong authentication mechanisms (e.g., strong password, GSI, SSH keys, OTP) for services. Where passwords are transmitted across a network, they must be encrypted.
18
3.8Users with privileged access may be targeted in order for an attacker to elevate privileges.Control access to privileged accounts and require individual accountability and higher security requirements for users who have privileged access.When possible, use multifactor authentication mechanisms for privileged access. (Password + One Time Password or SSH Key + One Time Password). Privileged access should be limited to those that need it. sudo (with a password other than the user password) should be used where possible. Remote root access should not be allowed across trust boundaries, and should be further restricted wherever possible. Root access by users should be done in a manner that provides accountability to the user. Root passwords should be different across trust boundaries. Root passwords must be changed when staff with the root password leaves or changes roles.
19
3.9Trust relationships that cross a trust boundary can be exploited by an attacker from one side of the trust boundary to gain unauthorized access on the other side.Define trust boundaries and reduce transitive trust relationships across those boundaries.Machines with which there is a trust relationship (e.g., NFS servers, DNS servers) must be considered within the same trust boundary and must be protected at least as well as the rest of the system.
20
3.1Files services such as NFS traditionally have limited authentication capabilities. These systems, if accessible outside of the trust boundary, can easily be exploited to gain privileged access and/or to corrupt data.Protect NFS service from access from unauthorized hosts, and prevent users from circumventing access controls.NFS service should be limited to the local (preferably internal) network of the cluster. File systems should be mounted with nosuid, nodev, root=nobody options. Where possible, file systems should be mounted read-only and/or with noexec option. NFS servers must be configured to refuse mount requests from unprivileged source ports. Network filtering should be used to block NFS traffic from hosts which are not clients of the NFS server. NFS requires that uid mappings be consistent across all clients.
21
3.11Attackers may tamper with local log files to hide their access and ‘erase’ unauthorized changes to a host.Maintain an accurate accounting of all system logs for accounting, auditing and forensic needs.Have all machines export their log data to a centralized and protected log server. Perform analysis on log data to identify any unusual activity.
22
NETWORK SECURITY
23
4.1Some attacks at the network level cannot be detected at the host level.Provide network monitoring capability.Be prepared to monitor/capture network data as necessary. Network flow information can provide useful information about attacker activities and source, and outbound intruder activity.
24
4.2Address spoofing and man-in-the-middle attacks can be used to take advantage of trust relationships between machines, allowing an attacker to obtain user’s credentials and/or hijack a user’s session.Prevent IP address spoofing both inbound and outbound.Use anti-spoofing filters for both ingress and egress at trust boundaries. Use Public Key Infrastructure to attest to trust relationships between the machines and users.
25
4.3Vulnerable network services are subject to remote exploitation. Sometimes these services cannot be fixed at the host level.Block services that cannot be access controlled at the host level.Configure network devices to block packets at the host/port level as necessary.
26
4.4Compromise of network devices can be used for Denial of Service (DoS) attacks, credential harvesting, scanning activities, spam generation, and attacks of other hosts.Manage and protect network devices.Employ a security scanning service to identify vulnerable hosts for remediation. Only encrypted authentication methods are to be supported for remote access to network devices. If feasible, deploy an Intrusion Detection Service to alert malicious network activity.
27
PHYSICAL SECURITY
28
5.1Physical access can be used to compromise hosts within a trust boundary.Protect information systems from unauthorized physical access.Physical access to systems must be restricted to only authorized individuals.
29
MONITORING AND LOGGING
30
6.1Inaccurate system timestamps can make it very difficult to analyze log files from hosts/systems.Consistent and accurate date and times across infrastructure.Use NTP (Network Time Protocol) to synchronize the clocks of all hosts/systems.
31
6.2If logs are unmonitored, administrators' first notification of an intrusion is often a service or services going down.Monitor log files for indications of intrusion attacks, intruder activity, and privilege escalation.Implement and configure log monitoring tools. Have tools available for analysis of logs during and after a security event.
32
6.3Logging data is often erased or modified by an intruder once a host is compromised.Ensure high integrity of all logging data.Forward all logs to a central log host. The log host should be well protected. Logs on the log host should be rotated and archived for as long as possible.
33
6.4Particular log information can be critical for determining information about an attack.Implement a minimum set of event logging.Record connections to services: local and remote host, local user with accurate timestamps. Log all critical services: system boot and shutdown, all root logins, su, and sudo.
34
6.5Process accounting can be useful in determining attacker activity.Enable process accounting.Enable process accounting and archive pacct files.
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
 
 
 
Sheet1