Master Your Security Foundation: Harden Your Systems

According to a survey conducted by Tenable in late 2016, only 50% of our customers use our configuration auditing capabilities. That’s the bad news. The good news is that those who do use it really like it. But back to the bad news; Tenable and the Center for Internet Security sponsored a separate research project that found that only 55% of organizations enforce secure configuration standards for laptops, workstations and servers. That leaves a lot of systems with potentially unnecessarily open ports and services, weak or default passwords, overly broad user rights and other configuration weaknesses.

If you’ve read my recent blog posts, you understand the importance of having only authorized devices and software on your network. The next step, according to the CIS Controls, is to securely configure (harden) the authorized hardware and software of your mobile devices, laptops, workstations and servers. The CIS is not alone in this recommendation – other security frameworks and compliance standards echo the importance of securely configuring your systems as well.

Even if you follow strict configuration management and provision secure “golden” images, you should still audit configurations frequently to identify the inevitable configuration drift that occurs as configurations are manually modified. Additionally, you should securely configure the entire stack, not just the operating system – especially for internet-facing servers. Don’t ignore virtualization, cloud infrastructure, container platforms, containers, web servers and database servers. Like the proverbial chain, security is only as strong as the weakest layer of the stack.

Configure the entire stack, not just the operating system

You can get started with configuration standards available from multiple sources. The CIS publishes more than three dozen Benchmarks, DISA publishes a number of Security Technical Implementation Guides (STIGs), and many vendors publish their own guidelines. You may need to tailor the standards to your organization’s specific requirements. The key is to get started!

Tenable can help

Tenable offers more than 300 configuration audit files that cover multiple versions of popular operating systems, cloud infrastructure, web servers, databases, Windows productivity apps and network devices. Additionally, SecurityCenter® 5 is fully certified against Security Content Automation Protocol (SCAP) 1.2. SCAP, a methodology used to evaluate vulnerability management, measurement and policy compliance of security software solutions, is recommended by CIS to streamline reporting and integration. It is also meets NIST and FISMA reporting requirements.

SecurityCenter offers three reporting mechanisms to address a range of requirements. Each can be scoped for specific business systems to focus results:

• Reports by asset type list setting-by-setting and system-by-system audit results and identify settings requiring remediation.

• Dashboards display compliance status, allowing users to drill into details as needed (see example below).

• Assurance Report Cards (ARCs) communicate a compliance status overview that can be communicated to business owners and non-technical stakeholders (see example below).

Learn more

The CIS Controls include seven sub-controls that support Secure Configurations for Hardware and Software. A detailed discussion of these sub-controls is beyond the scope of this blog – but we can help you learn more. Tenable is hosting a webinar on June 21st when we will dive into the control details, show you how Tenable can help and answer your questions. This webinar is the third of a five-part series that will explore each of the CIS Foundational Cyber Hygiene controls. Brian Ventura, a SANS community instructor, will be our expert guest presenter. Brian teaches a 2-day course, Critical Security Controls: Planning, Implementing and Auditing. He has also taught a 5-day course, Implementing and Auditing the Critical Security Controls – in Depth. In addition to presenting valuable content, we will reserve time for questions and answers.

Look for future blogs where I will discuss the remaining Foundational Cyber Hygiene controls:

• Continuous vulnerability assessment and remediation
• Controlled use of administrative privileges