As delivered from the manufacturer, your network systems’ default configurations are often function-oriented rather than security-oriented. Changing the system’s default configuration to a more secure form is what we refer to as system hardening.
This task is critical for two main aspects:
- Security- the cyber-crime landscape keeps evolving with more and more sophisticated attack techniques. Yet, it has been proven that investigating in basic controls, such as system hardening, has the biggest impact on your organization’s security. System hardening can have a huge impact on your organization’s security. In fact, misconfigured assets are responsible for over 40% of infrastructure vulnerabilities. Furthermore, establishing secure configurations will protect your organization from the highest number of attack techniques (according to an ATT&CK report).
2. Compliance- system hardening is now a basic requirement of most information security regulations. Regulations such as PCI-DSS, HIPAA, CMMC, and others require organizations to implement a robust hardening policy. Hardening can no longer be a ‘check the box’ task to pass an audit. Implementing a comprehensive hardening policy, based on the industry’s best practices benchmarks, is a continuous process that must be handled with care.
The high regulatory demands and emerging risk for cyber attacks require organizations to invest more than ever in achieving a secure baseline by implementing robust hardening policies.
Three main challenges in a hardening project:
- generating an impact analysis report.
- policy implementation and change management.
- remaining compliant.
Three main stages in a hardening project:
- Setting hardening policies – policies must be granulated as possible, addressing different environments, machine types, roles, and versions. It is normal to see one organization managing tens of policies for its infrastructure. Policies often rely on industry’s best practice benchmarks adjusted to each organization’s unique needs.
2. Generating an impact analysis of the policies and implementing them – policies’ impact on production must be analyzed to prevent production outages resulting from the implementation of the policies. This is a critical stage as it is prone to mistakes that can lead to devastating results. After analyzing, only policies that won’t affect the production can be implemented on the relevant machines.
3. Monitoring and maintaining compliance posture – hardening is often mistaken to be considered as a one-time task. The truth is that if you’ll treat it like that, you’ll find yourself back in square one after a year or two post your initial hardening project due to the dynamic character of the infrastructure. While machines are taken off and others are installed, change management procedures are a weak link in maintaining your compliance posture. In addition, new vulnerabilities must be addressed in your hardening policies.
Challenge #1- generating an impact analysis report:
In order to generate an impact analysis report detailing how your policy will affect your production, you’ll need to build a test environment.
Why? Implementing the policy directly on production systems can cause severe damage. Therefore, the policy must be tested on a dedicated test environment in order to understand its impact (impact analysis).
The Challenge hides in the number of different environments and types of machines and applications that you have in your infrastructure.
In an optimal impact analysis, you’ll need to perfectly simulate every type of environment that you have in production. After doing that, you’ll need to simulate every required policy and check its impact on the server’s functionality. Note that even after building such an environment you won’t be able to simulate the amount of traffic and users in the network. Make sure to take this into consideration in relevant policy rules.
Use automated tools that will generate this report from analyzing the impact directly on production. These tools are usually agent-based and will generate the most accurate report possible.
Challenge 2- policy implementation and change management:
To really achieve a secure and compliant infrastructure, policies must be as granulated as possible. This is why implementing the right policy on the right machine and making sure all the rules are being followed can be tricky. This process is prone to human errors that can either end up in decreased security and compliance posture. In addition, keeping track, managing, and having the ability to roll back from any policy change is rather complex when having multi-environment infrastructure.
Use Group Policy Objects (GPOs) or configuration management tools and administrative methods to make sure that the right policy was fully implemented in the right machine. Follow change management best practices methods to build a change management policy inside your organization.
An automated solution for this challenge will allow you to control the entire implementation process from a single point of control. An automated solution will help you find your feet when managing multiple policies for your infrastructure. Change management procedures will no longer be an issue and the entire process will be much less prone to human mistakes.
Challenge 3- remaining compliant:
Investing efforts in the proper hardening of servers is not enough. Ongoing monitoring and maintenance are required as the production environment constantly change, and new vulnerabilities are discovered. Lots of time and money can be saved when adopting healthy habits that will prevent the need to harden your infrastructure from scratch every few years.
non-automated / using scanning tools
You’ll need to implement structured procedures for:
- Annual Policy Update due to new vulnerabilities and updates in the infrastructure’s components and structure.
- Compliance checks to make sure that policy and infrastructure changes didn’t damage compliance.
- Conserving information about what changes were made, where and when, is crucial. Usually, all relevant knowledge is possessed by the IT staff member who is responsible for this matter. Once that staff member leaves the organization, no one knows what actually happened in the system and why certain decisions were made.
An automated solution for this challenge will provide continuous monitoring of your compliance posture, prevent configuration drifts, and remediate undesired changes.
There are two approaches for system hardening- automated and non-automated. By choosing a non-automated approach you’ll need to develop intra-organization procedures and assist non-hardening specific tools. The level of in-house knowledge and resources you’ll need will be high. This approach is relevant for small-size businesses with up to 150 servers’ infrastructure. For larger organizations, the recommended approach is to use hardening automation tools. These tools will provide a whole solution for this process and dramatically increase the chance of having a secure and compliant infrastructure.