The Center for Internet Security (CIS) published an updated version for the CIS Controls- CIS Controls v8. The CIS Controls are a set of gold standard guidelines for organizations facing data security issues. These controls were developed to simplify and help IT ops and security teams to remain focused on the essentials of CIS hardening.
The CIS updates its recommendation according to changes and new discoveries in the Information Security field. The 8th version of the CIS Controls was published in May 2021. In this version, the CIS changes a little the perspective around baseline security and system hardening.
In this post, we will demonstrate CIS security guidelines for baseline security, and what has changed from the previous versions.
CIS Control 4: Secure Configuration of Enterprise Assets and Software
"Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications)".
This Control is all about CIS hardening standards for any configurable component in your system, hardware, and software. Deploying CIS configuration settings is extremely complex. It requires multi-disciplined staff that will analyze potentially hundreds or thousands of possibilities to make the right decision. Furthermore, after configuration settings are deployed, they must be continually managed as the system constantly changes and new vulnerabilities emerge.
There are few options for hardening tools that can help you achieve a hardened infrastructure, but only a few of them are dedicated only to hardening. We strongly recommend automating system hardening. Using unautomated tools will most likely result in one of two scenarios: 1. Critical machines not configured in the most secure fashion, increasing the organization's attack surface. 2. Critical machines downtime due to using manual tools in such complex tasks.
(Resource: CIS Critical Security Controls v8)
12 Actions for Secure Baseline
According to the CIS Controls, there are 12 actions required to achieve a secure baseline.
1)Establish and Implement Security Controls: Maintaining a Secure Configuration Process
This refers to all enterprise assets including the target system (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). It also refers to cloud platforms like Microsoft Azure.
The process of securing configurations has 3 stages:
1. Building a configuration security policy - each system component type, role, version, and environment should have each own policy. The policies should be updated annually, or when a significant change in the organization occurs. The CIS Benchmarks cover policies based on configuration security best practices and security standards.
2. Testing and implementing the policy - Once the policy is approved, it must be implemented in its approved version. Any deviations should be handled as an exception. This stage imposes a major technical challenge and can cause severe damage to the organization when not managed correctly. The main danger in this stage is causing production outages as a result of configuration changes. The desired policy will impact your machines, and in order to avoid production outages, you must understand the potential impact of your policy before enforcing it.
Therefore, each policy should be tested before being pushed to production. The test's goal is to generate an impact analysis report that will indicate each configuration change’s impact on the machine's functionality. This impact analysis is crucial, or downtime will certainly happen.
3. Monitoring the compliance posture – Investing efforts in the proper hardening of servers is not enough. Ongoing monitoring and maintenance are required as the production environment constantly changes and new vulnerabilities are discovered. In addition, you can discover malicious activity by monitoring the compliance posture. Lots of time and money can be saved when adopting healthy habits that will prevent the need to harden your infrastructure from scratch every few years.
2)Establish and Maintain a Secure Configuration Process for Network Infrastructure
Establish the same process mentioned previously on network devices to prevent unauthorized access.
3)Configure Automatic Session Locking: A Key Secure Solution for Enterprise Assets
The default value of Automatic Session Locking in most operating systems (OS) is either Disabled or Not Defined.
To prevent unauthorized access, it is recommended to set Locking time to be no more than 15 minutes in general-purpose OS and no more than 2 minutes on an end-user mobile device. This will help to prevent access from unauthorized users when a currently single user leaves without locking the desktop.
4)Implement and Manage a Firewall on Servers
Firewalls are part of the organization's cybersecurity foundations. But you should be aware that this tool has its own security weaknesses. Therefore, it is important not to put all your trust in it and to be aware of how it is configured and how it can be maliciously used. Here are some examples of firewalls vulnerabilities:
- Configuration mistakes - configuring your firewall wrong will make it very easy for an attacker to take this security tool and leverage it for breaching your network. Mistakes such as allowing dynamic routing to be Enabled are common to see.
- Missed patches - this is usually a result of bad firewall management. An unpatched firewall is an open gate for attackers to your organization.
- Inside threat - firewall won't be useful for attacking that origin inside your organization unless you have an internal firewall.
5)Implement and Manage a Firewall on End-User Devices
End-user device firewalls are the first line of defense against penetration attacks. Personal firewall's job is to: 1. screen incoming traffic and block suspicious code. 2. Screen sent messages that can harm the addressee. 3. Prevent attackers from using logical ports.
6)Securely Manage Enterprise Assets and Software
Examples for best practices for this section will be:
- Set a hardening policy that will be specific not only to the type of infrastructure but also specific to its version. Meaning that for example, Windows Server 2016 hardening policy should be different from than Windows Server 2019 hardening policy.
- Use only secure network protocols. For example, try to neglect using HTTP where possible.
- Try to avoid using insecure protocols (Telnet for instance).
7)Manage Default Accounts on Enterprise Assets and Software
Default accounts have standard build scripts that set their password. This results in having all systems in the environments using the same password.
Let's take for example Administrator default accounts. The reason why your assets hold this option is for you to use it as a setup or as a disaster recovery account. When not used for these purposes, it should be disabled. If you will need to use it for recovery or for booting into safe mode, the account will automatically be re-enabled for use in troubleshooting tools.
By letting people use a default account, you will lose your ability to audit their actions. This will make the task of finding the source in case of an attack, to be impossible. It can also jeopardize compliance with industry standards like PCI DSS.
8)Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
Not all system components require all functionalities. While it is the manufacturer's interest to allow as many functionalities possible, it is often doesn't come in one hand with security. Many services expose the organization to vulnerabilities. For example, RDP is one most prevalent tools for attackers to leverage these days. Although there are ways to configure RDP in a more secure fashion, the best practice will be to disable it where it is not needed.
The main challenge in applying this recommendation is to generate an impact analysis report to understand which service is needed where. In this case, you have two options:
- Use automation tools that will learn your network and automatically report to you what will be the impact of each change.
- Start testing manually each change's impact on your production. This will require you to simulate all types of system components and environments and start testing each change. It will take you long hours, and usually result in human errors that will lead to downtime.
CIS Hardened Images are pre-built computer systems for the cloud that are already configured to be more secure.
You can find here all the tools, paid and free, available for this task.
9)Configure Trusted DNS Servers on Enterprise Assets
The Domain Name Server is a key component of an organization's interface with the Internet and IP networks. The following are recommendations published by SANS Institute for DNS defense:
- Stay up to date with the latest patches and builds being released.
- Separate between internal and external DNS servers.
- Disable recursion.
- Try to run DNS servers that are only dedicated to a single purpose.
- Diverse in the locations of your DNS servers to help to prevent DoS attacks.
- Restrict zone transfer.
- Authenticate zone transfer.
- Restrict dynamic updates.
- Hide the BIND version of the server.
- Restrict external access to the DNS servers by using queries for clients with public IP addresses.
10)Enforce Automatic Device Lockout on Portable End-User Devices
Recommended number of failed attempts diverse according to the type of device. For laptops limit number of failed attempts should not accede to 20. For tablets and smartphones, the number of failed attempts should not accede 10.
You can use tools such as InTune Device Lock for Microsoft devices and Apple® Configuration Profile maxFailedAttempts for Apple®.
11)Enforce Remote Wipe Capability on Portable End-User Devices
This is especially important in cases of lost or stolen devices. It is also a good practice for handling a device of a former employee that you want to ban from accessing the organization's data.
12)Separate Enterprise Workspaces on Mobile End-User Devices
Aspire to isolate as much as possible between your employee's mobile workspace and personal usage, ensuring both systems and networks remain uncompromised. This will lower the risk of employees' personal activities being leveraged by attackers to access your network.
Hardening automation tools for CIS system hardening
Hardening automation tools offer a complete hardening solution to implement CIS recommendations. For any target system, they transform this tangled process into a ‘click-of-a-button’ task. Using hardening automation tools you won’t need to write a single script or have any specific expertise. They have all the capabilities of Security Configuration tools and Compliance Scanners in addition to the capability to perform impact analysis.
CalCom Hardening Automation Suite– CalCom Hardening Automation Suite (CHS) is a hardening automation platform designed to reduce operational costs and increase infrastructure security and compliance posture. CHS eliminates outages and reduces hardening costs by automating every stage in the hardening process:
1. Automatic impact analysis: indicating the impact of a security hardening change on the production services.
2. Automatic policy implementation: after setting a policy according to the impact analysis report, CHS will implement each policy on the right machine from a single point of control.
3. Continues compliance – CHS will monitor your compliance posture, alert, and remediate configuration drifts.CHS will ensure your compliance level remains high in the dynamic ever-changing infrastructure, so you won’t need to perform hardening from scratch a few months post your initial hardening project.