Version 7.1 of the guidelines published by the Center for Internet Security (CIS) contains 20 actions, or “controls”, that should be performed in order to achieve a cyber-attack resilient IT infrastructure. In this article we are going to dive into the 5th CIS Control and how to harden configurations using CIS benchmarks.
In the 5th Control, the CIS recommends maintaining documented security configuration standards for all authorized operating systems and software (5.1). They also recommend deploying system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals (5.4). According to CIS, organizations must implement rigorous configuration and change control processes to prevent attacks that exploit vulnerable services and settings.
As delivered from the manufacturer, the operating systems’ default configuration is aimed at usability, rather than security. Thereby, without taking measures to secure it, operating systems are highly vulnerable to cyber-attacks. Deploying configuration settings with good security properties in complex IT environments is extremely difficult, as it requires analyzing hundreds of options and testing them before making any decision. This process usually requires the efforts of several people and investment in additional resources and is therefore often neglected or performed incorrectly, leaving the organization vulnerable.
It is not a rare sight to see attackers take advantage of the organization’s unknown security breaches, penetrating the enterprise’s IT network, spreading malware and causing extensive damage. For example, WannaCry malware, which first appeared in May 2017, is a Server Message Block (SMB) worm, which uses such a breach to access and distribute itself in the network. And although Microsoft released the relevant security updates during 2016 and 2017, WannaCry malware, as well as other SMB worms such as Brambul malware, continue to cause thousands of dollars’ worth of damage every day.
There is a number of actions you need to perform in order to make sure that your configurations are secured:
Establish standard secure configurations of the operating systems and software. Configurations should be updated and validated in light of the latest vulnerabilities and attack vectors.
Apply strict configuration management to all new systems deployed in the enterprise. For an existing system that has been compromised, update the security image that will address its vulnerabilities. Different types of systems (servers, workstations, etc.) should have their own security images.
Store the master security image on securely configured servers that have been validated with integrity testing tools. Make sure that only authorized changes to the image are possible. Another option is to store the master image in offline machines, air-gapped from the production network. Use secure media to move the image from its storage to the production network.
Use only secured channels to perform all remote administration activities. Protocols that do not actively support strong encryption (telnet, VNC, RDP, etc.) should only be used if they are activated over a secondary encryption channel, such as SSL, TLS or IPSEC.
Use file integrity checking tools to ensure that critical files have not been changed. The checking tool should have the ability to accept routine and expected changes and to alert regarding unusual or unexpected changes. The tool should show the history of configuration changes over time and identify who made them (including the user’s original login account in the event of a user ID switch, as can be performed using the su or sudo command). The integrity checking tools should identify suspicious system changes such as: owner and permissions changes to files or directories; usage of alternate data streams that could be used to hide malicious activities; and the introduction of new files into key system areas (which could also indicate malicious activities).
Use automated configuration monitoring that can check all remotely-testable secure configuration elements, and raises alerts if unauthorized changes occur (new listening ports, new admin users, changes in the group and local policy objects, and new services running on the system). Tools that integrate with Security Content Automated Protocol are (SCAP) recommended.
Deploy system configuration management tools that will automatically enforce system configuration settings – periodically, or preferably, in real-time. Using them, you should be able to redeploy or have real-time control over the configuration settings on a scheduled, manual or event-driven basis.
Your configuration properties should rely on security benchmarks – guidelines published by a reliable source such as CIS. The CIS benchmarks, considered as the gold standard, contain over 100 configuration guidelines for various systems, safeguarding them against attacks that target configuration vulnerabilities. Following these guidelines will provide a secure image that will improve your organization’s security posture.
It is likely that you will need to support a variety of standardized security images, due to the organization’s complexity and its range of supported functionalities. The number of image variations should be kept to a minimum in order to better understand and manage the security properties of each, but the organization must be able to manage multiple baselines.
A study done in 2017 showed that organizations fail on over 50% of the compliance checks established by the CIS in their benchmarks. More than half of these failures were high-severity issues. System hardening should be a mandatory requirement. CIS benchmarks provide incredible depth – so following them can be considered a burden.
As with such complex tasks, difficulties often arise and production systems are often harmed. In order to establish a new configuration, lab testing should be performed before implementing the change in production. These tests require long hours of testing for every change to be made in the system. As the enterprise’s network constantly changes, keeping track of hardening status and implementing the benchmarks is almost impossible to perform without hitches.
Automate Hardening and Avoid Production Outages:
Automation of the hardening process is a must in order to overcome this challenge. Automated tools are needed to simplify the decision-making process regarding configuration changes. Implementing those changes should also be performed automatically, leaving no place for human mistakes that will leave the system vulnerable. CHS by CalCom is a server hardening automation tool. CHS has the ability to learn your production environment and analyze the impact of every configuration change, thereby eliminating the need for lab testing, and allowing you to implement CIS benchmarks directly on the environment without the risk of production outages. Learn more about CHS benefits and features by downloading our datasheet.