How Hardening is reflected in the different NIST Standards

By John Gates, on May 29th, 2022

What is NIST?

NIST stands for National Institute of Standards and Technology. NIST was founded in 1901 and is a part of the U.S Department of Commerce. It is one of the oldest physical science laboratories in the US and was formed to remove challenges related to industrial competitiveness.

 

What are NIST Standards?

Some standards, guidelines, and best practices to meet the industrial, public, and federal agencies’ needs in Cybersecurity are developed by NIST.  The cybersecurity framework by NIST has an outcome-based approach and this set it to be applied in any sector and on any size of business. There are three basic pillars of the NIST cybersecurity framework, namely;

  1. Framework Core
  2. Profiles
  3. Implementation Tiers

The framework core has five major functions:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

 

(Image: Infographic – NIST Cyber Security Framework)

 

Organizations should apply checklists to operating systems and applications to reduce vulnerabilities and to lessen the impact of successful attacks.

 

NIST maintains a National Checklist Repository located at https://ncp.nist.gov/repository, which is a repository of information that describes each checklist primarily developed by the federal government, and has links to the location of other checklists. Users can browse and search the repository to locate a particular checklist using a variety of criteria.

 

How Hardening is reflected in NIST standards?

Hardening is the use of best practices in applications, systems, infrastructure, and other fundamental areas to reduce security risks and omit vulnerabilities. There are many types of hardening, some of them are listed below:

  • Application Hardening
  • Server Hardening
  • Database Hardening
  • Network Hardening
  • Operating System Hardening

 

NIST and Hardening

NIST strongly reflects system hardening and outlines it in a special publication namely, NIST 800-123, a document which specifically focuses on hardening, this document includes:

  • A system security plan must be established
  • The operating system must be patched and updated all the time
  • Unnecessary applications, services, and networks must be removed or disabled
  • Operating system user authentication must be configured
  • Resource controls must be appropriately configured

NIST has also published a guide named “General Server Security” which emphasizes the guidelines on how to secure systems by using the best available practices for hardening and configuring.

This guide helps demonstrate the below-mentioned services:

  • Server Security Planning
  • Securing the Server’s Operating System
  • Securing the Server Software
  • Maintaining the Security of the Server

 

Best System hardening standards always include:

  • Urge the users on creating strong passwords and modify passwords from time to time
  • All the unneeded software, drivers, and services must be removed or disabled
  • Allow the system to automatically update
  • Unauthorized user access to the system must be limited
  • All the errors, suspicious activity, and warnings should be documented

 

A continuous hardened system ensures that risks are at the minimum. Hence, the chances of a breach or an attack are low. But even a little bit of deviation from the hardening standards might result in a breach. Attackers are always waiting for you to make mistakes, so keep your organization updated with hardening standards to mitigate the risks.

 

How to Harden your System?

Hardening is a dynamic process and complex environments often make hardening a difficult process, necessitating hours of work, resources and usually encountering downtime. More than 60% of IT teams reported they experience downtime during infrastructure hardening.

 

 

The best solution for this challenge is to automate the hardening procedure. A good hardening automation tool should generate an impact analysis report automatically, enforce your policies on your production and maintain your servers’ compliance posture. A hardening automation tool is essential for minimizing the attack surface and achieving compliance at large and complex infrastructures.