For CISOs

One of the CISO’s most important tasks is to set a hardening policy for the organization’s servers. The need to implement a server hardening project usually stems from two needs:

1. The need to improve the organization’s security posture.
2. Compliance with regulations that require server hardening.

Enforcing a server hardening policy requires a joint effort of the operations and the security teams. But the unique goals of each of these two groups are often misaligned, due to their conflicting responsibilities. The result is the “SecOps gap,” wherein insufficient collaboration between these two groups results in unhardened, vulnerable servers.

Security teams are under intense pressure to comply with a variety of regulations that often rely on common security controls and benchmarks.

Some of the most common are:

• The CIS Controls and Benchmarks READ MORE
  The CIS Controls and Benchmarks

  The Center for Internet Security (CIS) provides 20 guidelines for achieving a cyber-attack resilient IT infrastructure.

  In the 5^th Control (v.7.1), the CIS recommends maintaining documented security configuration standards for all authorized operating systems and software (5.1). They also recommend deploying system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals (5.4). According to CIS, companies must adopt rigorous configuration and change control processes to prevent attacks based on exploits of vulnerable services and settings. For that reason, the CIS established a set of highly-detailed benchmarks, with recommendations for each OS configuration. This set of benchmarks is described in files containing hundreds of pages, with explanations on each object and its recommended state.

  Besides compliance with CIS Benchmarks, some additional issues must be taken into consideration:

  1. Each organization should establish a configuration policy for their operating systems, according to organizational needs and emerging security issues.
  2. After implementation, a strict configuration management policy should be applied.
  3. Store the master security image securely. Make sure that only authorized changes to the image are possible.
  4. Use secured channels to perform all remote administration tasks.
  5. Use file integrity checking tools to ensure that critical files have not been changed.
  6. Use automated configuration monitoring tools that check all remotely-testable secure configuration elements, and raise alerts if unauthorized changes occur.
  7. Deploy system configuration management tools that automatically enforce configuration settings, either periodically, or preferably, in real-time.

  read even more close
• DISA STIG READ MORE
  DISA STIG

  The Defense Information Systems Agency (DISA) is part of the US Department of Defense (DoD). It is a combat-support agency composed of military, federal civilians, and contractors.

  The DISA Security Technical Implementation Guides (STIGs) are a set of configurations and checklists that describe how to minimize network-based attacks and prevent system access when the attacker is interfacing with the system, either physically at the machine or over a network.

  The STIGs, like the CIS benchmarks, are low level – as they use technology-specific approaches to securing a product.

  STIGs also describe maintenance processes such as software updates and vulnerability patching.

  If a company isn’t STIG-compliant, it may be denied access to DoD networks.

  read even more close
• National Institute of Standards and Technology (NIST) Guidelines READ MORE
  National Institute of Standards and Technology (NIST) Guidelines

  The NIST has legislatively mandated guidelines for use by the civilian sector of the U.S federal government.

  NIST publishes a high-level set of recommendations for ensuring server security. In most cases, regulations that require organizations to comply with NIST will also require compliance with a low-level benchmark, such as the CIS benchmarks or DISA STIG.

   

  NIST 800-53 & NIST 800-171:

  Both NIST 800-53 and NIST 800-171 contain high-level security recommendations on a wide range of information security issues. One of the subjects covered is configuration management. In this section, NIST refers to every component in the system that must be securely configured, including servers.  It covers subjects such as baseline configuration, changes management, and impact analysis. Read more about server hardening according to NIST 800-53.

   

  NIST Guide for Server Security (NIST SP 800-123):

  The NIST Guide for Server Security is completely dedicated to recommended actions for securing a server. The purpose of the NIST Guide for Server Security is to assist organizations in understanding the fundamental activities that are performed in order to implement and maintain server security. The document discusses the need to secure servers and provides recommendations for selecting, implementing, and maintaining the necessary security controls. Read more about the NIST guidelines for server hardening.

  read even more close

Although server hardening should be a top priority, most organizations struggle to achieve a satisfactory compliance score on audits.

In summary, it is not only the CISO’s responsibility to determine a server hardening policy, but also to ensure that the policy is correctly and continuously enforced.

• 

  Choose your desired policy, adjust it to your organizational needs, and implement it directly on your production systems without risking server outages

• 

  Deploy a different baseline according to the servers’ role, environment, and version - and easily implement them from a single centralized control panel

• 

  Minimize the number of users authorized to deploy server configuration changes

• 

  Get real-time indications on the state of your compliance with your defined policy

• 

  Be notified of any change in configuration, allowing you to maintain a strict change and prevent configuration drifts