This article covers a “real example” of the usage of Faraday to manage a cybersecurity program. A sub-set of cybersecurity processes will be described, but the tool is not only useful for those. Please, be creative and use it to cover your needs :)
Asset Management (know what we have).
The asset management is, maybe, the most critical process which you must to put in place to start a cybersecurity program. Know which assets you have and which are the value for the business is the key principle to apply “cost-benefit” security solutions. So, you can consolidate into Faraday all your main assets, using tags or even making some kind of “asset registration” you can describe the main information for a proper cybersecurity management, like:
- Asset Owner
- IT Owner
- Security Owner
- Business Involved
- SLA
Another good approach would be defined a “RACI Matrix” to know “who is who” about cybersecurity responsibilities. With this RACI you can define responsible, accountable, among other roles regarding different security processes, like patch management, incident response, hardening, etc.
The “tag” feature would increase the quality of data for your assets because you could describe topics like: B2C, PCI, HIPAA, etc.
For example, you can use your vulnerability scanning tool over the most critical assets and integrate the results into Faraday. This is a good approach to know, “What could happen with our most critical assets?” :)
You could read more about this into the #CISControls CSC-1, but also this process is part of ISO, NIST, PCI, DSD 35 Top Mitigation Strategies, among others references.
Note: You should define a roadmap following your cybersecurity objective. This mean, increase scope based on the value of the assets and the risk exposure.
Compliance Management
Reference | Section |
CIS Controls | CSC 1 - Inventory of Authorized and Unauthorized Devices CSC 2 - Inventory of Authorized and Unauthorized Software |
Australia DSD Top 35 Mitigations Strategies | Application Whitelisting |
PCI-DSS | 2.4 Maintain an inventory of system components that are in scope for PCI DSS |
ISO 27002 | 8.1 Responsibility for assets |
NCSC Ten Steps for Cybersecurity | Secure Configuration |
Security Hardening
Another security process which you can support with Faraday is regarding “Security Hardening” because, when you know which are your assets and how they need to run, you can apply a secure configuration. The Security Hardening is the process which provide good secure configuration to you asset. For this purpose you can use a lot of references, for example, CIS Benchmarks, but focused on Faraday, you can use the tool to identify if your assets are following your own rules, for example:
- Are we using insecure protocols like ftp, telnet, snmp, smbv1?
- Are we using default accounts like root, sa, sys, system, admin, etc?
- Are we using this port for this service? Are we sure that we need this port open?
- Was we involved for this new service available? It’s a new platform? Which is the project ID? Have we a change request for this?
Even you can connect Faraday with your “Compliance Management Tool” to obtain results and make a proper follow up. Also you can create reports about insecure services, service by server, among other security KPI.
You could read more about this into the #CISControls CSC-3, but also this process is part of ISO, NIST, PCI, DSD 35 Top Mitigation Strategies, among others references.
Compliance Management
Reference | Section |
CIS Controls | CSC 3 - Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 9 - Limitation and Control of Network Ports, Protocols, and Services CSC 11 - Secure Configurations for Network Devices such as Firewalls, Routers, and Switches |
Australia DSD Top 35 Mitigations Strategies | OS Hardening APP Hardening |
PCI-DSS | 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards 2.3 Encrypt all non-console administrative access using strong cryptography |
ISO 27002 | 9.4 System and application access control 13.1 Network security management |
NCSC Ten Steps for Cybersecurity | Secure Configuration Network Security |
Vulnerability Management
The security is a process, nothing you about this, so for this reason you must to run continuous activities to know which your exposure for new threats is. So, as part of your vulnerability management process, you should define a security scan schedule (weekly, monthly, quarterly, etc). Faraday can support the most common security scan tools and give you extra capabilities to do this more transparent and automatic with the consolidation of all the findings in one place :)
So, you can run different tools, with the same or different scope, but use Faraday to review the results in one place, this will offer a best approach to have the “entire picture” about, for example, internal and external security scans.
A quick recap, if we know who is accountable for the security of an asset, we could assign the security issue to this person and give follow up using faraday. So, this mean, use “Asset Management” registers to improve the Vulnerability Management. Faraday could be connected to the most common ticketing tools, so, you can follow the progress from the same place where you have the finding.
Faraday could be integrated with the most common security scan tools to obtain the best approach regarding your exposure, just in one place. By the way, you can create reports based on results, for example, for:
- Top 10 Most Vulnerable Asset
- Top 10 Asset with Critical findings
- Top 10 Insecure Servers.
- Top 10 of Protocols.
- Platform which more vulnerabilities.
As always, you should define the reports based on your security objectives which are part of the cybersecurity program. This should be part of a security dashboard :)
You could read more about this into the #CISControls CSC-4, but also this process is part of ISO, NIST, PCI, DSD 35 Top Mitigation Strategies, among others references.
Compliance Mapping
Reference | Section |
CIS Controls | CSC 4 - Continuous Vulnerability Assessment and Remediation CSC 18 - Application Software Security |
Australia DSD Top 35 Mitigations Strategies | Patch Applications Patch Operating Systems |
PCI-DSS | 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades) |
ISO 27002 | 9.4 System and application access control 18.2 Information security reviews |
NCSC Ten Steps for Cybersecurity | Secure Configuration Network Security |
Pentest Management
The pentest is a “verification process” this mean, you should use the pentest to verify if your project has follow the security rules (as part of your SDLC). The worst scenario could be wait for the pentest to apply security measures, this is more expensive than including security from the beginning and would be a risk for the project Go Live.
Into Faraday you can consolidate all the results and use it to make a good follow up. After remediation you can register the verification also into the tool. This mean all the lifecycle of the issue in one place. Also you can use tags to mark which is the pentest calendar which apply for each platform, for example: this year, next year, decommission, etc.
Another usage could be apply tags to match findings, for example, vulnerability over a PCI asset with CVSS between 7 to 10 means PCI Non-compliance situation. Or OWASP Top 10 issue would means, PCI Non-compliance but these are just examples.
The pentest execution and follow up was the main purpose of Faraday from past years, but now you can increase the value involving this process (pentest management), into your cybersecurity program also with another processes like we have described into this article.
You could read more about this into the #CISControls CSC-20, but also this process is part of ISO, NIST, PCI, among others references.
Compliance Management
Reference | Section |
CIS Controls | CSC 18 - Application Software Security CSC 20 - Penetration Testing and Red Team exercises |
PCI-DSS | 6.5 Secure Coding considering OWASP TOP 10 11.3 Implement a methodology for penetration testing |
ISO 27002 | 12.6 Technical vulnerability management 14.1 Security requirements of information systems 14.2 Security in development and support processes 18.2 Information security reviews |
Some conclusions
A cybersecurity program is something which you must should adapt and maintain based on the business needs. A fixed plan for everyone is not possible, for this reason you must to be close to your business, know the environment and its behavior, know its risks and compliance requirements. Security is a continuous process which needs training, time, effort, teamwork, support from the business, its budget, and the heart!
To be agile and offer a good performance you should use a tool or a sub-set of tools. Faraday is a great tool to support your cybersecurity program, with a lot of possible usages, features which are updated frequently, with support to the most common security platforms and with a very challenging roadmap of new features.
But remember, a tool is a tool, always you must to think, build solutions cost-effective, know your environment and be the partner for your business.
Enjoy Faraday! :)
Mariano del Rio
https://www.faradaysec.com
https://github.com/infobyte/faraday