SANS CSC No. 3, When security goes behind the security team

By Roy, on May 22nd, 2016

Security is complicated. The growing threat landscape and multiple breaches encourage security professionals to play a proactive role in securing their organizations. There is a lot of buzz out there that might create confusion among security professionals, This is why SANS institute together with CIS (the Center for Internet Security) backed by official US government authorities such as NIST and the NSA provide the SANS 20 critical security controls (CSC).

The SANS 20 Critical Security Controls is a prioritized list designed to provide maximum benefits toward improving risk posture against real-world threats. This list of 20 control areas grew out of an international consortium of U.S and international agencies and experts, sharing from actual incidents and helping to keep it current against evolving global cyber security threats. Additionally, the SANS Top 20 CSC are mapped to NIST controls as well as NSA priorities.

CSC 3- Secure configurations for hardware and software is ranked by the NSA as one of the top 3 “must” CSC to implement. Implementing CSC 3 for servers is a basic yet critical step that many enterprises fail to implement. During some of the largest data breaches such as Target, JP Morgan and Acme servers which are not configured in a secure manner with a proper baseline were a main part of the successful attack chain (according to the SANS data breach reports).

CSC 3 or “server baseline hardening” seems to be an easy to implement step in the enterprise security posture, but unlike other CSC’s this one is behind the reach and control of the CISO office. A  joint effort of IT operations and security teams is required. The individual goals of these two groups are often misaligned, due to conflicting responsibilities. The result is what industry analysts are calling a “SecOps gap,” where poor collaboration between these two groups results in unhardened servers, system downtime, excessive labor costs and challenges meeting regulatory compliance requirements.

Deploying a security baseline from an operational perspective is costly, repetitive, and complicated to manage – for two main reasons:

  • Downtime and testing requirements. When using manual hardening methods or familiar hardening tools, the hardening process may affect OS or application functionality and cause server downtime. In order to prevent downtime, IT teams spend long hours testing policies in lab environments before deploying them on servers in production environments.


  • Configuration drift. The authorization of multiple privileged users in an enterprise environment makes it difficult to ensure that servers remain hardened., requiring IT teams to repeat the hardening process on a regular basis.


CSC 3 requires a special assessment and a different approach in order to ensure the server security and minimize costs and interruption of the day to day service. At CalCom we recommend to plan the implementation of CSC 3 as a joint project lead by the operations teams and guided by the CISO office. A “one time”  project combining the right tools and professionals  ensure  effective and on going implementation of a security baseline.