3:30 min read |
The first two CIS Controls for Internet security address keeping an inventory of hardware and software. The third CIS Control deals with secure system configurations. Its central principle is that a strict process for change control and configuration management is necessary to prevent attackers from exploiting poorly set up hardware and software. The road inside should be a less navigable path for those coming from the outside.
The importance of configuration management
Accepting the default configuration in any installation rarely produces the most secure configuration. The emphasis is on ease of deployment and use. And attackers know what to look for. A secure configuration turns off options which aren’t necessary, changes names from the defaults, and limits access to what’s necessary for usage.
It’s especially important to turn off inherently insecure features. There’s no good reason for modern systems to allow Telnet access or unencrypted FTP, nor should web servers provide directory listings to the browser.
Default accounts are a common vulnerability, even if they have custom passwords. Eliminating these accounts if they aren’t needed, or changing their names if they are, will reduce susceptibility to standard probes. Any, and all, “admin” accounts need to be rechristened.
Even devices that normally aren’t considered computers need configuration management. A printer may directly accept print jobs via email, communicate by Bluetooth or run unused network services such as Telnet, FTP and SNMP. These services could provide an avenue of attack for a malicious user and they should be disabled if not used. Some services may be re-enabled after applying a firmware update or performing a hard reset, so continuous monitoring of these devices is important.
Establishing a standard, secure configuration of operating systems and applications provides consistency. This can be accomplished using installation scripts or directly installable system images. Containerized software is especially amenable to this approach.
The Center for Internet Security recommends creating standardized system images with hardened versions of the operating system and applications. This is an effective approach for multiple servers sharing the same tasks or as a baseline for desktop systems. Standard images need to be updated periodically as security patches are issued or new concerns arise. If a system becomes compromised, reinstalling the image is a quick way to get the software back to a known, good state.
Configuration management tools
Software automation tools are a huge help to configuration management. Manual deployments are time-consuming and error-prone. The larger a network is, the greater the value it gains from automating its configurations. Tools such as Puppet, PowerShell DSC and Windows Group Policy allow centralized automation of system configurations.
File integrity tools can check installed software using a digest or checksum to make sure it hasn’t been altered. If there is an unexplained change, the software should be reinstalled and the machine checked for any other signs of a breach.
Administrators should be able to run the tools from a single console through a secure channel. The less they need to visit machines in person, the more effective they’ll be.
Being scanned is a fact of life. Internet connected devices worldwide are continuously scanned for vulnerabilities by untold numbers of bots. Many of these vulnerabilities exist due to default, or an otherwise insecure, configuration.
Many tools are available to scan software installations for weak points. Scanning master images periodically for vulnerabilities can call attention to the need for updates or tightened configurations.
Tools that follow the SCAP standard provide a consistent way of checking configurations against standard baselines. They will report any deviations; whether they are acceptable depends on company policy and the level of security needed. The report may include recommendations for fixing issues.
CIS benchmarks provide recommendations for secure configurations of various operating systems, applications and network devices. Many tools build their baselines on them.
Greater security and confidence
Using standard configurations, supported by automation tools and vulnerability scanning, provides a double benefit. It makes software more consistently secure while reducing the effort needed to configure it. Having the same settings in every installation reduces idiosyncratic software behavior, so there are fewer maintenance issues. This also aids in the deployments of patches across the network.
A fair amount of effort is needed up front to set up standard configurations, and ongoing work is necessary to keep them up to date. In the long run, though, they save effort as they improve security.