The center for internet security (CIS) instructs to perform 20 different actions in order to achieve a cyber-attack resilient IT infrastructure. Among those 20 Controls, the first five found to be the most essential ones. In this article we are going to dive into the 3rd CIS Control and how to harden configurations using CIS benchmarks.
In the 3rd Control, CIS recommends securing configuration for hardware and software. According to CIS, companies have to follow rigorous configuration and change control processes to prevent attacks from exploiting vulnerable services and settings.
As delivered from the manufacturer, the operating systems default configuration is aimed for usability rather than security. Thereby, without taking measures to secure it, operating systems are highly vulnerable to cyber- attacks. Deploying configuration settings with good security properties in the IT complex environments is extremely difficult, requires analyzing hundreds of options and testing them before taking any decision. Thus, this operation will usually demand the labor of several people and resource investment. Therefore, changing configuration settings is common to be neglected or done incorrectly, leaving the organization vulnerable.
It is not a rare sight to see attackers take advantage of the organization’s unknow security breaches, penetrating enterprise’s IT network, spreading malware and causing extensive damage. For example, WannaCry malware, which first appeared in May 2017, is a Server Message Block (SMB) worm. The SMB1 protocol uses as the malware’s breach to access and distribute itself in the network. But although Microsoft released the relevant security updates during 2016 and 2017, WannaCry malware, and other SMB worms such as Brambul malware, continues to cause thousands of dollars’ worth of damage these days.
There is a number of actions you need to perform in order to make sure that your configurations are secured:
- Establish standard secure configurations of the operating systems and software. Configuration should be updated and validated in light of the latest vulnerabilities and attack vectors.
- Apply strict configuration management to all new systems deployed in the enterprise. For an existing system that became compromise, update the security image that will address its vulnerabilities. Different types of systems (servers, works stations, etc.) should have security images.
- Store the master security image on securely configured servers, validated with integrity checking tools. Make sure that only authorized changes to the image are possible. Another option is to store the master image in offline machines, air-gapped from the production network. Use secure media to move the image from its storage to the production network.
- Use only secured channels to perform all remote administrations. Protocols that do not actively support strong encryption (telnet, VNC, RDP, etc.) should only be used if they are activated over a secondary encryption channel, such as SSL, TLS or IPSEC.
- Use file integrity checking tools to ensure that critical files have not been changed. The checking tool should have the ability to accept routine and expected changes and alert on unusual or unexpected changes. The tool should show the history of configuration changes over time and identify who made them (his original logged- in account in the event of a user ID switch, such as with the su or sudo command). This integrity checking tools should identify suspicious system changes such as: owner and permissions changes to files if directories; usage of alternate data streams which sometimes could be used to hide malicious activities; and the introduction of extra files into key system areas (which could also indicate malicious activities).
- Use automated configuration monitoring that can check all remotely testable secure configuration elements, and alerts if unauthorized changes occur (new listening ports, new admin users, changes in the group and local policy objects and new services running on the system). Tools that integrate with Security Content Automated Protocol are (SCAP) recommended.
- Deploy system configuration management tools that will automatically enforce configuration settings to systems every certain time or preferably in real- time. Using them, you should be able to redeploy or have real-time control over the configuration settings on a schedule, manual or event-driven basis.
Your configuration properties should rely on security benchmarks, which are guidelines published by a reliable source such as CIS. The CIS benchmarks, considered as the gold standard, contains over 100 configuration guidelines for various systems to safeguard them against attacks targeting configuration vulnerabilities. Following these guidelines will provide a secure image that will improve your organization’s security posture.
It is likely that you will need to support different standardized security images, due to the organization’s complexity and its needed functionalities. The number of images variations should be kept to a minimum in order to better understand and manage the security properties of each, but the organization must be able to manage multiple baselines.
A study done in 2017 showed that organizations fail over 50% of the compliance checks established by the CIS in their benchmarks. More than half of these failures were high severity issues. System hardening should be a mandatory requirement. CIS benchmarks provide incredible depth so following them often consider a burden.
Being such a complex task, difficulties often arise and production is often harmed. In order to establish a new configuration, lab testing should be performed before implementing the change in production. These tests demand long labor hours for every change being made in the system. As the enterprise’s network constantly changes, keeping track of hardening statues and implementing the benchmarks is almost impossible to perform flawlessly.
Automating the hardening process is mandatory to overcome this challenge. Automated tools need to simplify the decision-making process regarding configuration changes. Implementing those changes should also be done automatically, leaving no place for human mistakes that will leave the system vulnerable.