Today, I will be going over Control 5 from version 7 of the CIS top 20 Critical Security Controls – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. I will go through the five requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 5
- More than just vendor guidelines. Some vendors have recommended configuration guidelines in terms of performance and/or security. Most software and operating systems are configured in an open and insecure state, and external sources such as CIS hardening guides and DISA STIGs can provide additional guidance. Windows will have a roughly 65% pass rate for CIS hardening benchmarks. Know that these are available and can reduce your attack surface tremendously.
- FIM as a key driver. File Integrity Monitoring is something Tripwire has been doing for over two decades. I firmly believe that FIM is a key component of every aspect of control 5. FIM will alert to changes in key files such as master images. FIM can monitor configuration files to report when they are changed in real time. FIM can do much more than people realize.
- Bring in data from earlier controls. You’re going to need insight from controls one and two in order to know what to secure. After all, you can’t protect that which you do now know about.
- Prepare for incidents. Control 5 will be tightly coupled with Control 19. A configuration change can lead to a configuration vulnerability, which can lead to a breach. Make sure SCM resources can be available in the Incident Response program when you get to Control 19.
Requirement Listing for Control 5
1. Establish Secure Configurations
Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.
Notes: To me, I read this as you can just leverage hardening benchmarks like CIS or DISA and follow frameworks such as NIST SP 800-53 to secure the environment. Luckily, Tripwire Enterprise has a vast library of policies based on those frameworks and more.
2. Maintain Secure Images
Description: Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.
Notes: The difficulty in this will be managing the images with the frequency of operating system and application updates. Ideally, the master image is updated in unison with the production environment as well, but that may be difficult if the master image is stored offline. A great idea is to use the master image as a source of truth when monitoring for change in an environment. If system binary is changed which is not on the master image, it should be considered suspicious. Gather file hashes with a file integrity monitoring tool, such as Tripwire Enterprise, and compare them against the master image.
3. Securely Store Master Images
Description: Store the master images and templates on securely configured servers validated with integrity monitoring tools to ensure that only authorized changes to the images are possible.
Notes: Treat the golden image like it’s actual gold. Encrypt it, restrict permissions, store it offline, and monitor it with FIM. Use every tool to your advantage to make sure there are no unauthorized changes to the master images.
4. Deploy System Configuration Management Tools
Description: Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
Notes: Knowing something changed is one thing, but being able to do something about it is entirely different. Tripwire Enterprise policies provide very detailed step by step instructions on how to remediate a failed policy test with the ability to auto remediate the failures as well.
5. Implement Automated Configuration Monitoring Systems
Description: Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.
Notes: I would actually like to see this requirement swap places with the one above it. The first step is to baseline a system. Only once you have that baseline should you begin going through the process to remediate. That being said, Tripwire Enterprise is best in class when it comes to monitoring for change, especially configuration change, on any type of endpoint.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 Critical Security Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
You can also learn more about the CIS security controls here.