By Roy, on November 3rd, 2016

First circulated in 2009, the CIS Critical Controls are used by both the U.S. and U.K. governments as a leading framework for securing critical IT infrastructures. Consisting of 20 security controls that cover areas from malware defense to incident response and management, the CIS Critical Controls offers a prioritized set of security measures for assessing and improving an organization’s security posture.

The controls serve as a solid checklist for performing cyber security as it addresses the vast majority of security issues faced by organizations today. In these days of multiple solutions and ideas of how to mitigate cyber-attacks, following the 20 CIS critical controls is a basic yet challenging thing to do.

The 20 CIS Critical Controls for Effective Cyber Defense were developed in 2008 by the NSA at the request of the Office of the Secretary of Defense. The goal was to prioritize cybersecurity controls for combating cyber-attacks based on the NSA’s deep knowledge of cyber-attack patterns and security compromises.

The controls are all important but the top of the list are the fundamental steps for security. Reviewing CSC 3, this control represents one of the most basics yet hard to achieve steps in securing an infrastructure. Other than controls that require implementation of tools or procedures CSC 3 requires a joint effort and a change in culture from both IT and security teams.

CSC 3 requires IT teams to establish, implement, and actively manage (track, report on, correct) the security configuration of servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Why Is This Control Critical? As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared to ease-of-deployment and ease-of-use – not security. Basic controls, open services and ports, default accounts or passwords, older (vulnerable) protocols, pre-installation of unneeded software; all can be exploitable in their default state.

Developing configuration settings with good security properties is a complex task beyond the ability of individual users, requiring intensive analysis of the impact tweaking settings and deploying configurations will have on the applications services. This potentially requires analysis of thousands of options in order to achieve a good compliance posture with known benchmarks such as CIS. Even if a strong initial configuration is developed and installed, it must be continually managed to avoid security “decay” as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked” to allow the installation of new software or support new operational requirements. If not, attackers will find opportunities to exploit both network-accessible services and client software.

For a complex enterprise, the establishment of a single security baseline configuration (for example, a single installation image for all workstations across the entire enterprise) is sometimes not practical or deemed unacceptable. It is likely that you will need to support different standardized images, based on the proper hardening to address risks and needed functionality of the intended deployment (example, a web server in the DMZ vs. an email or other application server in the internal network).

Rather than start from scratch developing a security baseline for each software system, organizations should start from publicly developed, vetted, and supported security benchmarks, security guides, or checklists. Excellent resources include: • The Center for Internet Security Benchmarks Program (www.cisecurity.org) • The NIST National Checklist Program (checklists.nist.gov)

The task of baseline security hardening for servers is a reputable and labor intensive one. The ongoing change in the threat landscape which leads to frequent changes in hardening recommendation and benchmarks combined with the daily changes to the server infrastructure set a real challenge for both management and technical staff. The complexity of this important security task requires proper tools, knowledge and the backwind of c-level executives.

CalCom has recently got certified as a CIS Critical security control champion. Our server hardening automation platform implements the CIS security benchmarks in a cost effective and outages free fashion. The CHS learning capabilities overcome the need to commit your IT team to long hours of policy testing and putting down fires when outages occur due to hardening. Contact us today to discuss how we can help you implement and maintain a secure and hardened infrastructure with a good ROI.