One of the CISO’s most important tasks is to set a hardening policy for the organization’s servers. The need to implement a server hardening project usually stems from two needs:
Enforcing a server hardening policy requires a joint effort of the operations and the security teams. But the unique goals of each of these two groups are often misaligned, due to their conflicting responsibilities. The result is the “SecOps gap,” wherein insufficient collaboration between these two groups results in unhardened, vulnerable servers.
Security teams are under intense pressure to comply with a variety of regulations that often rely on common security controls and benchmarks.
Some of the most common are:
The Center for Internet Security (CIS) provides 20 guidelines for achieving a cyber-attack resilient IT infrastructure.
In the 5th Control (v.7.1), the CIS recommends maintaining documented security configuration standards for all authorized operating systems and software (5.1). They also recommend deploying system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals (5.4). According to CIS, companies must adopt rigorous configuration and change control processes to prevent attacks based on exploits of vulnerable services and settings. For that reason, the CIS established a set of highly-detailed benchmarks, with recommendations for each OS configuration. This set of benchmarks is described in files containing hundreds of pages, with explanations on each object and its recommended state.
Besides compliance with CIS Benchmarks, some additional issues must be taken into consideration:
The Defense Information Systems Agency (DISA) is part of the US Department of Defense (DoD). It is a combat-support agency composed of military, federal civilians, and contractors.
The DISA Security Technical Implementation Guides (STIGs) are a set of configurations and checklists that describe how to minimize network-based attacks and prevent system access when the attacker is interfacing with the system, either physically at the machine or over a network.
The STIGs, like the CIS benchmarks, are low level – as they use technology-specific approaches to securing a product.
STIGs also describe maintenance processes such as software updates and vulnerability patching.
If a company isn’t STIG-compliant, it may be denied access to DoD networks.
read even moreThe NIST has legislatively mandated guidelines for use by the civilian sector of the U.S federal government.
NIST publishes a high-level set of recommendations for ensuring server security. In most cases, regulations that require organizations to comply with NIST will also require compliance with a low-level benchmark, such as the CIS benchmarks or DISA STIG.
Both NIST 800-53 and NIST 800-171 contain high-level security recommendations on a wide range of information security issues. One of the subjects covered is configuration management. In this section, NIST refers to every component in the system that must be securely configured, including servers. It covers subjects such as baseline configuration, changes management, and impact analysis. Read more about server hardening according to NIST 800-53.
The NIST Guide for Server Security is completely dedicated to recommended actions for securing a server. The purpose of the NIST Guide for Server Security is to assist organizations in understanding the fundamental activities that are performed in order to implement and maintain server security. The document discusses the need to secure servers and provides recommendations for selecting, implementing, and maintaining the necessary security controls. Read more about the NIST guidelines for server hardening.
read even moreAlthough server hardening should be a top priority, most organizations struggle to achieve a satisfactory compliance score on audits.
In summary, it is not only the CISO’s responsibility to determine a server hardening policy, but also to ensure that the policy is correctly and continuously enforced.
Choose your desired policy, adjust it to your organizational needs, and implement it directly on your production systems without risking server outages
Deploy a different baseline according to the servers’ role, environment, and version - and easily implement them from a single centralized control panel
Minimize the number of users authorized to deploy server configuration changes
Get real-time indications on the state of your compliance with your defined policy
Be notified of any change in configuration, allowing you to maintain a strict change and prevent configuration drifts