Part One in Three part Series
Next Posts in the Series:
Cybersecurity is a hot topic for just about everyone: it affects organizations as well as individuals, workers, and citizens. Each of us needs at least a basic understanding of how to safely use and protect the devices and systems that are a part of our day-to-day lives.
And yet, do you sometimes see or hear a term that you don’t quite understand? If so, you are not alone – cybersecurity is a domain littered with technological, legal, and regulatory jargon, and we often forget to define our terms and remind ourselves what we are trying to accomplish.
With that in mind, the Cyber Engineering team at Coalfire is developing a series of posts that will define and explain several commonly used terms and put them into context.
We begin our series with the topic “System Compliance and Hardening.”
System compliance is achieved through system hardening, the process of reducing the attack surface to improve system security. Each compliance standard provides a list of requirements that must be met through system hardening before an organization can state their systems comply with a specific compliance standard. Common requirements that are standardized through this process include:
- Password requirements (length, complexity, history, lockouts)
- Audit requirements (pass/fail for certain system events)
- Session settings (inactivity timeouts, concurrent sessions, remote access)
- Patching (devices/systems up to date, monitor for viruses and malware)
- Removing unnecessary applications/services
Hardening systems improves security beyond the default settings. When implemented, hardening practices enhance security for software, hardware, and physical and logical architectures to further reduce security risk. System hardening is also a necessity if you want to ensure you are adhering to almost any given regulatory standard.
- Default settings that are inadequate:
- Users make weak passwords or reuse old passwords
- Event Viewer may only track Success, which causes Administrators be unaware of Brute Force attacks
- Users leave their workstations unlocked
- Users not automatically updating systems and devices to the latest version
- Having unnecessary applications installed allows for potential risk
Due to these inadequate default settings, every enterprise – and every system used by that enterprise – probably needs to comply with some sort of system hardening standards. Those standards might be self-imposed to satisfy the enterprise security policy, or they might be dictated by a legislative, regulatory, or contractual body.
For example, if you are a Cloud Service Provider (CSP) seeking to sell your service to a federal agency, your customers will need you to demonstrate that you are FedRAMP-compliant. The requirements are built upon the National Institute of Standards and Technology (NIST) 800-53 and allow CSPs to document their defined baselines. Alternatively, if you are a retailer and your system processes credit cards, you will need to comply with the Payment Card Industry Data Security Standard (PCI DSS). If you are looking to follow commercial requirements, it is necessary to set contractual requirements with clients and follow good security practice.
Some commonly known standards for system compliance are:
- The Defense Information System Agency (DISA) Security Technical Implementation Guide (STIG)
- A Department of Defense (DoD) standard for many operating systems (OS), network devices, and applications
- Very stringent settings that can often break functionality
- Security Requirements Guides (SRGs) are available as generic guidelines for securing applications, firewalls, switches, Linux, etc.
- The Center for Internet Security (CIS) publishes benchmarks for OS, AWS, mobile devices, network devices, and software
- CIS is an excellent option for commercial environments or information systems that use both Linux and Windows
- Microsoft Security Compliance Manager (SCM) provides a compliance baseline tool to build and customize SCM benchmarks. These benchmarks are Microsoft specific for Windows and some applications
- SCM is best used in a commercial setting with primarily Windows systems that require organizationally defined customizations
Choosing the appropriate standard heavily depends on your environment and the requirements you must meet. There are a multitude of requirements; however, most compliance standards can be achieved by following NIST 800-53.
The purpose of this publication is to provide guidelines for selecting specific controls that will help your company meet its needed/desired requirements. In addition, this publication also ensures privacy is considered for each security control. This helps align privacy requirements with security controls that may overlap during the system hardening process.
The controls are organized as families. To ensure compliance standards are being met from a cybersecurity standpoint, the focus is on the Configuration Management (CM) family controls, specifically CM-2 and CM-6.
CM-2: Baseline Configuration
This control ensures that the organization has a baseline configuration for the information system. The control enhancements ensure that the organization updates the information, has an automated mechanism to maintain the baseline configuration, retains previous versions, and ensures it is configured for high-risk areas.
CM-6: Configuration Settings
This control ensures that configuration settings are documented, implemented, and monitored for any changes to the settings. The control enhancements ensure that there is an automated mechanism to manage settings and that there are safeguards in place to address unauthorized changes to the settings.
While this only touches the basic configuration management requirements for baseline configuration and configuration settings, Coalfire can also help ensure that you meet all other requirements for the specific compliance standard.
In summary, system hardening is crucial to ensure your company is secure and is meeting all desirable/legal compliance requirements. The next installment in the Cyber Engineering Primer Series will further explore the topic by introducing and explaining automated checks for compliance.