Breaking Down The Critical Security Controls: CSC 3 – Secure Configurations3 min read
Continuing my series of Breaking Down The Critical Security Controls the next one in line is number three. CSC 3 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. After building inventories of your hardware and software in your environment per CSC 1 & CSC 2 the next step is to ensure those components are configured securely, consistently and accurately.
Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
This control is where specific security, infrastructure and network expertise comes into play. In order to create secure configurations you need resources in your environment that can read, analyze and understand with expertise with the ‘whats’ and ‘hows’ of a component’s configuration. This will include your DBAs, AD Domain Administrators, Server Administrators, Network Administrators, software tool experts, developers and anyone else that works directly with a component.
No security team will have all that knowledge and expertise on the team but that’s where the secret weapon to effective security is applied. Collaboration. Yes, you need to talk to the business. Communication, transparency, accountability and teamwork. Only when you work together can you create a gold standard configuration. Taking industry best practices on how to secure Active Directory or a database probably will not fully apply to your environment, those that know the tools and the business at that level do.
After you have a gold configuration that needs to be documented and inserted in to an image/build that is then applied to all systems. That’s the first step. The second step is to ensure the configuration integrity on those systems and the configurations do not change. Using your SIEM (Security Information Event Manager) to monitor changes, file monitors, infrastructure and vulnerability scanners can help keep changes in check.
In addition to monitoring for changes there should also be improvements to the accessibility of those that can make changes. Expanding Group Policy Objects (GOP), tightening Access Control Lists to be closer to Least Privilege, and removing the ability altogether will reduce the capability of changes being made.
How It Could Be Exploited
First and foremost your environment is being constantly scanned. Thousands if not millions of bots are constantly scanning all the IP addresses on the Internet and they are looking for vulnerabilities. Unless you have a catalog of pre-built, secure configurations and/or images ready to deploy there are vulnerabilities in your environment. Almost by default any out of the box software has exploitable vulnerabilities. Unless you have updated configurations that close those vulnerabilities, contain the latest patches and updates and do it consistently across the environment you could inadvertently expose your environment just by turning on a system. Controlling how the systems are built and configured, especially if the configurations are built specifically for a system’s use (DB, AD, File server, etc…), will close the attack vectors of those looking to infiltrate your systems and data.
A consistent configuration allows you as a security leader to know with accuracy, along with your inventories in CSC 1 and CSC 2, to know what is impacted by a vulnerability based on a configuration profile. This will also provide improvements in your governance and compliance efforts by ensuring that risky protocols are blocks, ports are disabled, and versions are up to date.
Consistent, repeatable and automated processes are one of the keys to effecting Information Security.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter