The center for internet security (CIS) instructs to perform 20 different actions in order to achieve a cyber-attack resilient IT infrastructure. Among those 20 Controls, the first five found to be the most essential ones. In this article we are going to dive in to the 3rd CIS Control and to the CIS benchmarks.
In the 3rd Control, CIS recommends to secure configuration for hardware and software. According to CIS, companies have to follow rigorous configuration and change control processes to prevent attacks from exploiting vulnerable services and settings.
As delivered from manufacture, operating systems default configuration is aimed for usability rather that security. Thereby, without taking measures to secure it, operating systems are highly vulnerable to cyber- attacks. Deploying configuration settings with good security properties in the IT complex environments is extremely difficult, requires analyzing hundreds of options and testing them before taking any decision. Thus, this operation will usually demand the labor of several people and resource investment. Therefore, changing configuration settings is common to be neglected or done incorrectly, leaving the organization vulnerable.
It is not a rare sight to see attackers take advantage of organization’s unknow security breaches, penetrating enterprise’s IT network, spreading malware and causing extensive damage. For example, WannaCry malware, that first appeared in May 2017, is a Server Message Block (SMB) worm. The SMB1 protocol uses as the malware’s breach to access and distribute itself in the network. But although Microsoft released the relevant security updates during 2016 and 2017, WannaCry malware, and other SMB worms such as Brambul malware, continues to cause thousands of dollars’ worth of damage these days.
There are number of actions you need to perform in order to make sure that your configurations are secured:
- Establish standard secure configurations of the operating systems and software. Configuration should be updated and validated in light of the latest vulnerabilities and attack vectors.
- Apply strict configuration management to all new systems deployed in the enterprise. For existing system that became compromise, update security image that will address its vulnerabilities. Different types of systems (servers, works stations, etc.) should have security images.
- Store the master security image on securely configured servers, validated with integrity checking tools. Make sure that only authorized changes to the image are possible. Another option is to store the master image in offline machines, airgapped from the production network. Use secure media to move image from its storage to the production network.
- Use only secured channels to perform all remote administrations. Protocols that do not actively support strong encryption (telnet, VNC, RDP, etc.) should only be used if they are activated over a secondary encryption channel, such as SSL, TLS or IPSEC.
- Use file integrity checking tools to ensure that critical files have not been changed. The checking tool should have the ability to accept routine and expected changes, and alert on unusual or unexpected changes. The tool should show the history of configuration changes over time and identify who made them (his original logged- in account in the event of a user ID switch, such as with the su or sudo command). These integrity checking tools should identify suspicious system changes such as: owner and permissions changes to files if directories; usage of alternated data steams which sometimes could be used to hide malicious activities; and the introduction of extra files into key system areas (which could also indicate malicious activities).
- Use automated configuration monitoring that can check all remotely testable secure configuration elements, and alerts if unauthorized changes occur (new listening ports, new admin users, changes in group and local policy objects and new services running on the system). Tools that integrate with Security Content Automated Protocol are (SCAP) recommended.
- Deploy system configuration management tools that will automatically enforce configuration settings to systems every certain time or preferably in real- time. Using them, you should be able to redeploy or have real-time control over the configuration settings on a schedule, manual or event- driven basis.
Your configuration properties should rely on security benchmarks, which are guidelines published by a reliable source such as CIS. The CIS benchmarks, considered as gold standard, contains over 100 configuration guidelines for various systems to safeguard them against attacks targeting configuration vulnerabilities. Following those guidelines will provide a secure image that will improve your organization’s security posture.
It is likely that you will need to support different standardized security images, due to the organization’s complexity and its needed functionalities. The number of images variations should be kept to a minimum in order to better understand and manage the security properties of each, but organization must be able to manage multiple baselines.
A study done in 2017 showed that organizations fail over 50% of the compliance checks established by the CIS in their benchmarks. More than half of these failures were high severity issues. System hardening should be a mandatory requirement. CIS benchmarks provide incredible depth so following them often consider a burden.
Being such a complex task, difficulties often arise and production is often harmed. In order to establish new configuration, lab testing should be performed before implementing the change on production. These tests demand long labor hours for every change being made in the system. As enterprise’s network constantly change, keeping track on hardening statues and implementing the benchmarks is almost impossible to perform flawlessly.
Automating the hardening process is mandatory to over-come this challenge. Automated tools need to simplify decision making process regarding configuration changes. Implementing those changes should also done automatically, leaving no place for human mistakes that will leave the system vulnerable.