By Keren Pollack, on January 7th, 2021

If you haven’t yet established an organizational hardening routine, now is a good time to start a hardening project. A good place to start is building your policy, usually according to best practices such as the CIS Benchmarks. Your next step will be implementing your policy in your network, and finally, maintaining your infrastructure hardened at all time. These are basic steps for ensuring compliance and cyber resilience.

 

Here are five reasons why hardening should be a top of your priorities this year:

 

  1. Misconfigured assets are responsible for over 40% of infrastructure vulnerabilities

 

In 2018, TLS & SSL versions and other configuration issues held almost 45% of the infrastructure vulnerabilities.

In addition, SMB security issues (such as SMBv1 vulnerability), were responsible for almost 30% of infrastructure vulnerabilities.

 

Configuration changes that lead to compliance drifts is a leading reason for compliance issues that can easily result in audit issues and breaches. Even if your organization passes its annual compliance audit, every change in the infrastructure, such as adding a new server to accommodate a new tool, is a source for vulnerabilities and compliance issues. These kinds of scenarios are inevitable, since new assets, users, and applications are constantly added, and configuration changes are made constantly.

 

Great care should be taken to ensure that the infrastructure is always configured securely. Your assets should always be compliant with the necessary frameworks to protect them against cyber-attacks and your organization from non-compliance fines.

 

 

Leaving TLS 1.2 and moving to TLS 1.3

 

  1. Over 30% of internal-facing vulnerabilities could be mitigated by hardening actions

 

In 2019, 31% of the internal facing vulnerabilities could be mitigated (partially or completely) via hardening actions.

 

Implementing security configuration guidelines, such as the CIS Benchmarks will ensure that easily exploitable security holes have been closed. Hardening your assets according to these benchmarks comes down to two main actions:

 

a. Bringing your existing assets in line with the relevant benchmarks.

b. Making sure they stay this way (as mentioned above).

 

Easier said than done since many organizations hold a huge number of assets, each with thousands of configuration options. Bringing the assets in line with benchmarks such as the CIS Benchmarks can easily take years when done manually. In addition, since the organization’s network is dynamic and constantly changes, it would really be impossible to ensure continuous compliance without technological assistance.

 

Emotet, TrickBot & Ryuk Attack Can Be Mitigated With Hardening

 

  1. Establishing secure configurations will protect you from the highest number of ATT&CK techniques

According to the CIS Community Defense Model, the 5.1 CIS control- establish secure configurations, maps to 145 ATT&CK techniques, and provides the most coverage in a single safeguard.  This illustrates the high value of implementing secure configurations in your organization’s assets.

Even though these are the numbers, organizations usually invest in technological solutions like Firewalls and EDRs, since techniques and solutions designed to harden existing systems are considered too labor-intensive. While Firewalls and EDRs are important, they can’t make up for basic security issues such as not secured configurations. For this reason, all major compliance frameworks put a heavyweight on secure configuration and recommend implementing best practices such as the CIS Benchmarks.

 

 

 

  1. Implementing the CIS benchmarks is mandatory in most regulations and compliance frameworks

It is a known fact that security and compliance are not the same but must work together to protect the organization. As mentioned above, like security, compliance should be maintained continuously. Having your organization paying non-compliance fines in addition to the costs of a security breach is avoidable if treating compliance as a never-ending project.

 

Most prominent compliance and regulatory frameworks consider the CIS benchmarks to be the industry standard, even if they do not directly refer to them.

 

Common regulations such as GDPR, HIPAA, FISMA, CMMC, and frameworks such as PCI-DSS and NIST accept the CIS Benchmarks as the best practice. Configuring your assets to be in line with the CIS Benchmarks is a huge step toward achieving compliance with those regulations.

 

CMMC, NIST 800-171, and server hardening- Part 1

 

  1. Implementing secure configuration is no longer an endless project you have no chance of completing

 

Implementing a secure configuration to achieve compliance and better security posture and maintaining it in the dynamic and ever-changing organization’s network is impossible without assisting the right tools and using automation. Fortunately, there is one tool that will both put your assets in line with your desired policy and maintain it continuously- CalCom Hardening Solution CHS. CalCom solutions are designed to reduce operational costs and increase your network security and compliance posture.

 

 

One of the biggest concerns when making changes in the system’s configuration is creating production outages. Understanding what the impact of each change of the system’s functionality will be is what makes the task of hardening so difficult and risky. Creating a lab environment that will try to simulate the production environment and performing tests on it is labor-intensive and will not completely cover you from the risk of outages.

 

 

CalCom Hardening Solution will learn your network and report you which policy rule will result in breaking production and why. It will then automatically implement your desired policy over your entire infrastructure, from a centralized management point. Finally, CalCom’s solution will maintain your assets continuously hardened, preventing these often missed compliance drifts that often lead to audit failure on breaches.

 

CHS SUITE