Freshly installed operating systems and network-connected devices, by default, are usually configured for ease of deployment and ease of use. This means that the security controls are set to the least restrictive settings to ensure users experience little to no issues deploying their products. While this is great from the deployment perspective, it is not so great from the security perspective. Default admin accounts, unused protocols, and unnecessary pre-installed software can all be exploited in their default configuration.
The CSC 3 control is all about securing the configuration on mobile devices, laptops, workstations, and servers. The control states, “Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”
With the diversity of equipment, operating systems, and applications that exist, even in a small organization, developing a secure configuration for each platform can be a daunting task. With potentially thousands of settings and options to consider, the complexity of such an endeavor is usually beyond that of the average users. Additionally, once a secure baseline has been developed, the configuration needs to be continuously reviewed and maintained as software is patched, updated, or new applications are deployed. A single patch could potentially revert critical settings to a default state and undo the hours of work previously performed.
A Closer Look at the Sub-Controls
The sub-controls to CSC 3 were developed to organize this effort into a logical set of processes that are easier to implement and maintain. The CSC 3 sub-controls are:
- Sub-Control 3.1 Establish standard secure configurations of operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system.
- Sub-Control 3.2 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise.Images should be created for workstations, servers, and other system types used by the organization.
- Sub-Control 3.3 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible.
- Sub-Control 3.4 Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels.
- Sub-Control 3.5 Use file integrity checking tools to ensure that critical system files have not been altered.
- Sub-Control 3.6 Implement and test an automated configuration monitoring system that verifies all remotely testable secure configuration elements, and alerts when unauthorized changes occur.
- Sub-Control 3.7 Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
Best Practices and Resources to Help
The scope of this control can sometimes be daunting, depending on the size and diversity of the environment. However, the good news is that there is no need to completely re-create the wheel. There are, fortunately, several resources available that have documented best-practice security implementations for the most popular operating systems and applications. Many network device manufacturers also provide security implementation guides to reduce the burden of creating a secure baseline configuration. Ideally, organizations will start with security guides that have been publicly developed and vetted, and then customize the configuration based on the organizational needs.
Resources can be found at:
- The Center for Internet Security Benchmarks Program (www.cisecurity.org)
- The NIST National Checklist Program (checklists.nist.gov)
- Secure Technical Implementation Guides (STIGs) (iase.disa.mil/stigs/Pages/index.aspx)
Once a secure baseline configuration has been made, there are several applications available that can then create the secure image files. Some examples are Clonezilla, Acronis Manager, and Free Open Ghost (FOG). Microsoft Deployment Toolkit (MDT) is also available to specifically create reference images for Windows-based operating systems. One advantage of the MDT is that it creates a Windows Image Format (WIM) file that takes advantage of compression capabilities to create a smaller image files.
Once the secure baseline configuration is complete, and the image file is created, organizations need to ensure that unauthorized changes are not made to these secure configurations. This is where file integrity monitoring (FIM) comes in. FIM creates a baseline, monitors a subset of specified files, and creates an alert when any unauthorized changes are made.
A good FIM implementation will consist of the following elements:
- The ability to define a policy and specify which files need to be monitored.
- Baseline files that are created when the target file is in a known good state.
- The ability to determine the difference between a good change and a bad change.
- The option to alert and take corrective action based on policy and priority.
- Automated reporting for compliance and other needs.
TripWire’s FIM is an example of an application that meets several of the elements listed above and also has some unique characteristics that make it a leading product in the space. One such feature is the ability to track the specific elements of a file that has been changed and who made the change. These are both vital bits of information if an unauthorized change is ever detected. Qualys is leading FIM service provider. One of the unique features of Qualys is that it is entirely cloud-based. This feature makes the application highly scalable and ideal for distributed environments.
CSC sub-control 3.7 amplifies the need to be able to deploy, evaluate, and re-deploy configuration settings. This is a vital capability because, unfortunately, end users sometimes don’t appreciate the need for several of the security settings that are in place. While not attempting to be malicious, they may disable critical configuration settings to improve their performance or general user experience. Having an automated means of detecting these configuration changes and reverting them back will help to ensure a secure environment.
One of the better-known applications that fill this role is the Group Policy Object (GPO) within Microsoft Active Directory. While GPO can be used to deploy configuration settings across the entire Windows platform, there are specific sub-menus for configuring security options. In this area, an administrator can configure such things as password rules, Windows firewall, and local administration capabilities. While GPO provides a comprehensive set of configuration options, it is only relevant to Windows platforms—and to some extent Apple. To gain the same capabilities in Linux-based systems, organizations will need to leverage additional solutions such as Samba, LDAP, or Puppet.
As with any security implementation, there are several solutions on the market that can assist with many of the tasks contained in the CSC3 sub-controls. While there is no single solution that is right for every organization, a thorough evaluation of the organization’s environment, goals, and objectives can help determine which solutions are right for them.
ePlus provides assessments that help gauge the effectiveness of your current security program, and help you better protect your organization. We create custom, integrated security programs through a unique holistic approach centered on culture and technology. For more information about how you can implement the recommendations of the CSC3 sub-controls, visit www.cisecurity.org/controls/ or contact us at firstname.lastname@example.org. You can also contact your ePlus Account Executive directly.