Server hardening-Regulatory overview

 

Baseline security hardening is a fundamental task in ensuring the organization’s servers are secure and compliant.

OS and applications are provided from the manufacture with default configuration. The default configuration is set for Maximum ease of use and operational agility with no security in mind. Manufactures first think about the variety of applications and application development models so they want to make sure their users can utilize the software for whatever means, security is added to the equation once the infrastructure is running and applications are installed.

Server hardening is the task of reducing the attack surface of the server by disabling as many attack vectors as possible through a secure configuration. The secure configuration is often called as “security policy” or “baseline” which are covering the different subjects and objects that needs to be covered

Server hardening is a very basic step for achieving both security and compliance.

Known vulnerabilities- vulnerabilities at the configuration level are known to create easy attack flows for attackers. Eliminating them is an easy way to make a hacker move from the machine to another system or organization. There is no other way but dealing with “the source of the security threat”- the vulnerability. Applying proper hardening at the server level is fundamental for avoiding many of the common cyber-attacks. As the CIS (Center for Internet Security) indicate- 85% of data breaches can be stopped by applying the 5 basic security steps. Server hardening is number 3 out of the 5 security steps.

 

Hardening is an integral part of many cyber security regulations and best practices: in many cases there is confusion coming from IT teams that know they need to harden in order to achieve compliance but they don’t know which policies to use and what to do if they have more than on regulatory requirement to comply with.

Overview of the common regulations:

PCI DSS– requirement 2.2: PCI-DSS the payment card industry data security standard applies to all organizations which store credit card information or make online payments using credit cards. Requirement 2.2 of the PCI standard requires organizations to harden their server OS and applications with known benchmarks such as the CIS benchmarks or secure configuration which are provided by the software vendors.

SWIFT– Following few Devastating attacks that used the SWIFT system such as the attack on Bank of Bangladesh. Starting from January 2018 SWIFT will be auditing its partners (banking organizations) to deploy a set of security controls. The security controls required by SWIFT includes hardening the SWIFT infrastructures with a recommended benchmark such as the CIS, NIST. Review the SWIFT security hardening guideline

 

NIST SP 800-53: NIST 800-53 put emphasis on scanning the environment and show compliance against a SCAP which follows the NIST NVD- https://web.nvd.nist.gov/view/ncp/repository

However, NIST NVD wasn’t updated for more than 3 years now and lack critical updates, therefore many auditors now direct organizations to use CIS Benchmark Checklists directly, because the NVD is either incomplete or refers to CIS or vendor security best practices such as MSFT SCM

 

NIST CSF (Cyber security framework)- The NIST CSF became a mandatory cyber security standard for the entire federal government starting from June 2017, Federal government organizations should be audit ready during 2018. NIST CSF hardening requirement:  PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality). There is no definition of a policy, but taking in ind NIST SP 800-53 it is better to use the CIS benchmarks.

 

NERC- CIP- When reviewing NERC CIP-005 R4 and CIP-007 R8, auditors want to see evidence for a secure configuration controls management. NERC auditors will usually check that there is an approved security policy that covers common controls. They also test a sample of machines and devices to check adherence to the organizational policy.

In order to overcome the common argument about the relevancy and update of your security policy it is better to use the CIS benchmarks. Most likely that your auditor is familiar with CIS and it will be a good beginning for the auditor’s checks.

 

FFIEC– The FFIEC IT examination handbook require banks to perform hardening as detailed in the handbook- “Management should consult operating system and software vendor-recommended security controls. When deploying COTS applications and systems, management should harden the resulting applications and systems. Hardening can include the following actions” The FFIEC provides a high-level list of subjects that should be hardened, this list has some similarities to the CIS subjects but FFIEC doesn’t provide a detailed per object analysis. It is recommended to use the CIS benchmarks as they will cover the FFIEC requirements and will help guiding the IT team to perform specific tasks. learn more

https://ithandbook.ffiec.gov/it-booklets/information-security/ii-information-security-program-management/iic-risk-mitigation/iic10-change-management-within-the-it-environment/iic10(b)-hardening.aspx

 

Summary table:

Regulation Technical Policy/Benchmark

 

PCI-DSS CIS or vendor specific policies
SWIFT CIS, NIST, vendor specific policies
NERC-CIP Not specified- CIS is recommended
FFIEC Provide high level guidelines- CIS is recommended
NIST CSF Not specified- CIS/NIST can be used
NIST SP 800-53 NIST NVD is specified- forward to CIS

 

 

 

 

 

 

https://technet.microsoft.com/en-us/library/cc526440.aspx

https://csrc.nist.gov/Projects/National-Checklist-Program

https://www.darkreading.com/partner-perspectives/tenable/why-is-endpoint-security-failing/a/d-id/1322227

https://www.isaca.org/chapters3/Atlanta/Events/Documents/ISACA%20Atlanta-%20Technical%20Implementation%20of%20NIST%20FFIEC%20CSF.pdf

 

Mapping and Compliance

PCI-DSS requirement 2.2 hardening standards