The Federal Financial Institution Examination Council (FFIEC) Cyber security assessment tool (CAT) and IT security handbook require enforcement of comprehensive configuration hardening baselines for servers.
To curb the growing cyber threat against financial institutions, the Federal Financial Institutions Examination Council (FFIEC) recently (Sept. 2016) renewed its IT security handbook and issued the cyber security assessment tool. As the guiding authority for the five US banking regulators- FRB, FDIC, NCUA, OCC, CFPB, the FFIEC has the responsibility of ensuring financial institutions in the US are protected against cyber-attacks. In issuing the documents, the FFIEC objective is to guide financial institutions and help regulators enforce, lead and audit organizations. The FFIEC CAT presents a set of challenging server configuration hardening requirements:
1.Enforce a security policy aligned with industry standards: The IT team should follow and enforce secure systems configurations to all network devices. According to the CAT the policies should follow industry standards. Common industry standards are referred to as any of the following:
“Preventive Controls/Infrastructure Management: Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. Source: IS.B.56: Financial institutions should ensure that systems are developed, acquired, and maintained with appropriate security controls. IS.WP.II.H: Determine whether management explicitly follows a recognized security standard development process, or adheres to widely recognized industry standards.”
2.Example of critical objects that must be hardened: The Cyber assessment tool provides some examples of what should be hardened: ” Preventive Controls/Infrastructure Management: Ports, functions, protocols and services are prohibited if no longer needed for business purposes. Source: IS.B.50: Institutions should consider securing PCs to workstations, locking or removing disk drives and unnecessary physical ports, and using screensaver passwords or automatic timeouts. IS.WP.II.C.1: Determine whether hosts are hardened through the removal of unnecessary software and services, consistent with the needs identified in the risk assessment, that configuration takes advantage of available object, device, and file access controls, and that necessary software updates are applied.”
3.Default accounts and passwords change: The IT team should change all the default accounts and passwords. This task is a basic requirement in hardening benchmarks yet it is hard to implement as default accounts are commonly used in production servers: “Preventive Controls/Access and Data Management: All default passwords and unnecessary default accounts are changed before system implementation. Source: IS.B.61: When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions… Changing all default passwords. IS.WP.II.A.1: Determine whether the financial institution has removed or reset default profiles and passwords from new systems and equipment.”
4. A managed process combining hardening, penetration test and vulnerability scanning: Hardening processes a penetration testing and vulnerability scanning program. The scanning and penetration testing should be done according to the overall risk assessment. It is critical to make sure that the results of the testing are combined to the hardening processes of the organization: “Detective Controls/Threat and Vulnerability Detection: Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network. Source: IS.B.61: Hardening includes the following actions… Testing the system to ensure a secure configuration… [and] Testing the resulting systems. IS.WP.II.M.12: Evaluate independent tests, including penetration tests, audits, and assessments.”
5. Configuration hardening change management and access control: Authorization to make changes to configuration of serves must be controlled and monitored. It is critical that only authorized users will be able to change the server’s configuration. This requirement is hard to implement in a large infrastructure with many privileged users. Preventive Controls/Infrastructure Management: Access to make changes to systems configurations, (including virtual machines and hypervisors) is controlled and monitored. Source: IS.B.56: Financial institutions should ensure that systems are developed, acquired, and maintained with appropriate security controls. The steps include… Maintaining appropriately robust configuration management and change control processes. IS.WP.II.H: Determine whether management explicitly follows a recognized security standard development process, or adheres to widely recognized industry standards. The five configuration hardening requirements in the FFIEC cyber security assessment tool possess some major challenges for IT operations and security teams.
CalCom Hardening Solution (CHS) is a server security-hardening solution designed to reduce operational costs and increase the server’s security and compliance posture. CHS eliminates outages and reduces hardening costs by indicating the impact of a security hardening change on the production services. It ensures a resilient, constantly hardened and monitored server environment. CHS provides a complete solution for the five server hardening requirements that need to be implemented in order to comply with the FFIEC CAT:
1.Enforce a security policy aligned with industry standards: CHS provides out of the box policies aligned with either CIS/SCM/NIST baselines or customized organizational policies that can be uploaded to the CHS policy center and enforced. Enforcing a broad baseline such as CIS/SCM might cause outages to the applications and OS service Intensive testing must be done before enforcing the policies to servers in production. CHS saves the time and resources required to perform the policy testing procedure. It provides a predictive “learning mode” which indicates what impact a policy change will have on the production environment.
2.Examples for critical objects that must be hardened: CHS covers the recommended industry baselines, and all the critical objects mentioned in the CAT are supported.
3.Default accounts and passwords change: Default accounts- The CHS learning mode provides an exact indication of the usage of default administrative accounts on servers. Default passwords- Passwords are managed from the policy center. During the learning mode, the current passwords settings are discovered and compared to the desired ones.
4. Managed process of hardening, penetration test and vulnerability scanning: CHS is integrated into the organizational penetration testing and vulnerability scanning programs.
5. Configuration hardening change management and access control: CHS implements a configuration change management process. Hardened servers are continuously monitored, authorized changes are logged and unauthorized changes are prevented in real-time. All changes to configurations are audited, saved and presented in a dashboard.