A Cyber Engineering Primer: System Compliance and Hardening

April 16, 2018, Timberly Deane and Alyssa Stackpole, Cyber Engineering Associates, Coalfire

Part One in Three part Series
Next Posts in the Series:

Cybersecurity is a hot topic for just about everyone: it affects organizations as well as individuals, workers, and citizens. Each of us needs at least a basic understanding of how to safely use and protect the devices and systems that are a part of our day-to-day lives.

And yet, do you sometimes see or hear a term that you don’t quite understand? If so, you are not alone – cybersecurity is a domain littered with technological, legal, and regulatory jargon, and we often forget to define our terms and remind ourselves what we are trying to accomplish.

With that in mind, the Cyber Engineering team at Coalfire is developing a series of posts that will define and explain several commonly used terms and put them into context.  

We begin our series with the topic “System Compliance and Hardening.”

System compliance is achieved through system hardening, the process of reducing the attack surface to improve system security. Each compliance standard provides a list of requirements that must be met through system hardening before an organization can state their systems comply with a specific compliance standard. Common requirements that are standardized through this process include:

  • Password requirements (length, complexity, history, lockouts)
  • Audit requirements (pass/fail for certain system events)
  • Session settings (inactivity timeouts, concurrent sessions, remote access)
  • Patching (devices/systems up to date, monitor for viruses and malware)
  • Removing unnecessary applications/services

Hardening systems improves security beyond the default settings. When implemented, hardening practices enhance security for software, hardware, and physical and logical architectures to further reduce security risk. System hardening is also a necessity if you want to ensure you are adhering to almost any given regulatory standard.

  • Default settings that are inadequate:
    • Users make weak passwords or reuse old passwords
    • Event Viewer may only track Success, which causes Administrators be unaware of Brute Force attacks
    • Users leave their workstations unlocked
    • Users not automatically updating systems and devices to the latest version
    • Having unnecessary applications installed allows for potential risk

Due to these inadequate default settings, every enterprise – and every system used by that enterprise – probably needs to comply with some sort of system hardening standards. Those standards might be self-imposed to satisfy the enterprise security policy, or they might be dictated by a legislative, regulatory, or contractual body.

For example, if you are a Cloud Service Provider (CSP) seeking to sell your service to a federal agency, your customers will need you to demonstrate that you are FedRAMP-compliant. The requirements are built upon the National Institute of Standards and Technology (NIST) 800-53 and allow CSPs to document their defined baselines. Alternatively, if you are a retailer and your system processes credit cards, you will need to comply with the Payment Card Industry Data Security Standard (PCI DSS). If you are looking to follow commercial requirements, it is necessary to set contractual requirements with clients and follow good security practice.

Some commonly known standards for system compliance are:

  • The Defense Information System Agency (DISA) Security Technical Implementation Guide (STIG)
    • A Department of Defense (DoD) standard for many operating systems (OS), network devices, and applications
    • Very stringent settings that can often break functionality
    • Security Requirements Guides (SRGs) are available as generic guidelines for securing applications, firewalls, switches, Linux, etc.
  • The Center for Internet Security (CIS) publishes benchmarks for OS, AWS, mobile devices, network devices, and software
    • CIS is an excellent option for commercial environments or information systems that use both Linux and Windows
  • Microsoft Security Compliance Manager (SCM) provides a compliance baseline tool to build and customize SCM benchmarks. These benchmarks are Microsoft specific for Windows and some applications
    • SCM is best used in a commercial setting with primarily Windows systems that require organizationally defined customizations

Choosing the appropriate standard heavily depends on your environment and the requirements you must meet. There are a multitude of requirements; however, most compliance standards can be achieved by following NIST 800-53.
The purpose of this publication is to provide guidelines for selecting specific controls that will help your company meet its needed/desired requirements. In addition, this publication also ensures privacy is considered for each security control. This helps align privacy requirements with security controls that may overlap during the system hardening process.

The controls are organized as families. To ensure compliance standards are being met from a cybersecurity standpoint, the focus is on the Configuration Management (CM) family controls, specifically CM-2 and CM-6.

CM-2: Baseline Configuration
This control ensures that the organization has a baseline configuration for the information system. The control enhancements ensure that the organization updates the information, has an automated mechanism to maintain the baseline configuration, retains previous versions, and ensures it is configured for high-risk areas.

CM-6: Configuration Settings
This control ensures that configuration settings are documented, implemented, and monitored for any changes to the settings. The control enhancements ensure that there is an automated mechanism to manage settings and that there are safeguards in place to address unauthorized changes to the settings.

While this only touches the basic configuration management requirements for baseline configuration and configuration settings, Coalfire can also help ensure that you meet all other requirements for the specific compliance standard.

In summary, system hardening is crucial to ensure your company is secure and is meeting all desirable/legal compliance requirements. The next installment in the Cyber Engineering Primer Series will further explore the topic by introducing and explaining automated checks for compliance.

Sources
https://nvd.nist.gov/800-53/Rev4/control/CM-2
https://nvd.nist.gov/800-53/Rev4/control/CM-6
https://nvd.nist.gov/800-53/Rev4/
https://nvd.nist.gov/ncp/repository

Timberly Deane and Alyssa Stackpole

Author

Timberly Deane and Alyssa Stackpole — Cyber Engineering Associates, Coalfire

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS