Version 7.1 of the guidelines published by the Center for Internet Security (CIS) contains 20 actions, or “controls”, that should be performed in order to achieve a cyber-attack resilient IT infrastructure. In this article we are going to dive into the 5th CIS Control and how to harden configurations using CIS benchmarks.
In the 5th Control, the CIS recommends maintaining documented security configuration standards for all authorized operating systems and software (5.1). They also recommend deploying system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals (5.4). According to CIS, organizations must implement rigorous configuration and change control processes to prevent attacks that exploit vulnerable services and settings.
As delivered from the manufacturer, the operating systems’ default configuration is aimed at usability, rather than security. Thereby, without taking measures to secure it, operating systems are highly vulnerable to cyber-attacks. Deploying configuration settings with good security properties in complex IT environments is extremely difficult, as it requires analyzing hundreds of options and testing them before making any decision. This process usually requires the efforts of several people and investment in additional resources and is therefore often neglected or performed incorrectly, leaving the organization vulnerable.
It is not a rare sight to see attackers take advantage of the organization’s unknown security breaches, penetrating the enterprise’s IT network, spreading malware and causing extensive damage. For example, WannaCry malware, which first appeared in May 2017, is a Server Message Block (SMB) worm, which uses such a breach to access and distribute itself in the network. And although Microsoft released the relevant security updates during 2016 and 2017, WannaCry malware, as well as other SMB worms such as Brambul malware, continue to cause thousands of dollars’ worth of damage every day.
Your configuration properties should rely on security benchmarks – guidelines published by a reliable source such as CIS. The CIS benchmarks, considered as the gold standard, contain over 100 configuration guidelines for various systems, safeguarding them against attacks that target configuration vulnerabilities. Following these guidelines will provide a secure image that will improve your organization’s security posture.
It is likely that you will need to support a variety of standardized security images, due to the organization’s complexity and its range of supported functionalities. The number of image variations should be kept to a minimum in order to better understand and manage the security properties of each, but the organization must be able to manage multiple baselines.
A study done in 2017 showed that organizations fail on over 50% of the compliance checks established by the CIS in their benchmarks. More than half of these failures were high-severity issues. System hardening should be a mandatory requirement. CIS benchmarks provide incredible depth – so following them can be considered a burden.
As with such complex tasks, difficulties often arise and production systems are often harmed. In order to establish a new configuration, lab testing should be performed before implementing the change in production. These tests require long hours of testing for every change to be made in the system. As the enterprise’s network constantly changes, keeping track of hardening status and implementing the benchmarks is almost impossible to perform without hitches.
Automation of the hardening process is a must in order to overcome this challenge. Automated tools are needed to simplify the decision-making process regarding configuration changes. Implementing those changes should also be performed automatically, leaving no place for human mistakes that will leave the system vulnerable. CHS by CalCom is a server hardening automation tool. CHS has the ability to learn your production environment and analyze the impact of every configuration change, thereby eliminating the need for lab testing, and allowing you to implement CIS benchmarks directly on the environment without the risk of production outages. Learn more about CHS benefits and features by downloading our datasheet.