In a recent podcast interview with Zack Hack, Host of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses the latest views on system hardening and why it's important. The podcast can be listened to in its entirety below.
Zack Hack here. Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is President and CEO Robert E Johnson, III. Robert has been a pioneer in the development of next-gen system integrity monitoring, self-healing systems, and cybersecurity software. Welcome back, Robert. Great speaking with you. How have you been?
A: Been great, and great to be back with your show, Zack.
Q: Now, today we're going to talk about the buzz around system hardening and I think this is gonna be interesting. Now, last year, we talked a little bit about system hardening, but I feel like we just scratched the surface. I want you today if you'd mind, to talk about the approach organizations might want to take when it comes to system hardening.
A: As a reminder, system hardening is a process of reducing the attack surface of your IT assets, this is usually accomplished by configuring your IT assets in a specific manner, according to industry, best practices. So, there are two sets of best practices that are typically used for configuring these IT assets. The first source is DISA STIGs. These are configuration best practices, as defined by the US Government. These STIGs are available for many common operating systems such as Windows and Linux and several others. In fact, many government and defense agencies require systems to be configured according to these DISA STIGs.
Outside of the government, CIS Benchmarks have become the de facto standard for configuring IT assets into a hardened state. CIS Benchmarks are developed via industry consensus and are updated quite frequently. In addition, CIS Benchmarks are available for over 140 different types of operating systems and devices, databases, and other IT assets. It's the most robust set of system hardening guidelines that are available. Your enterprise should pick the set of system hardening standards, whether DISA STIGs or CIS Benchmarks, that make the most sense for your organization and the type of organization that you have. Many times, organizations will harden the golden image of certain systems that they are deploying first, and then they'll roll that image out to the entire organization or use it as the basis for every time a new server or workstation is built and deployed.
Q: Thanks for mentioning DISA STIGs and CIS Benchmarks. How can organizations ensure their assets remained in a hardened state?
A: That's a very good question. Many organizations don't realize or don't know if their systems are in a hardened state or not. Many times, folks will harden their systems, and then they simply hope that they stay in that hardened state. And, as we all know, hope is not a strategy.
A common practice is to perform an assessment on an annual basis, just to verify if they're in this hardened state. In my opinion, you should attempt to measure the state of hardening in your organization, really on a continuous basis. Because if you can measure the state of hardening the organization, let's face it, what you're really measuring is your overall security posture. As a general industry, we should all move toward and strive toward measuring our security posture, continuously. Even though this sounds like a tall order, and what I'm saying is a big task, I believe it's possible and is possible by using this new category of software called system integrity monitoring tools.
Q: So, are you saying that we should monitor all of our IT assets in a hardened state and do it on a daily basis? Is that going to be difficult to accomplish on a daily basis?
A: That's exactly what I'm saying, Zack. You need to know if your key assets are continuously in the expected, hardened state. If they aren't, that means that your assets have a greater attack surface and have increased risk associated with them. I do understand why you feel like this might be difficult to accomplish, especially if you're trying to accomplish this with traditional tools or even do it manually.
However, we've been heads down working on our CimTrak Integrity Suite, and our compliance module does exactly that. CimTrak can assess all of your IT assets, so you have an insight into any resources that deviate from an expected hardened state. We provide this insight for Windows, Linux, and about 140 other operating systems and device types. Once we identify a system is no longer in a hardened state, we can provide robust reports that even provide you with the exact guidance necessary to configure that system to once again be in a proper, hardened state. So, as a bonus, CimTrak can take all of that information that's been gathered and curated into evidence, so that you can easily show your auditors that you've done the right things, and had the right controls in place for a variety of compliance and regulatory frameworks from PCI to HIPAA, Sarbanes Oxley, and about 70 others. It's extremely easy to benefit, implement, and configure CimTrak, and this is one of the only tools that you'll be able to see benefits from right away. We're always open to providing a demo or a free trial to anyone in your audience. So Zack, if they're interested just have them reach out to us. We would love the show them our technology.
Q: Where can they reach out to you? What's the address and the information online?
A: Sure, you can reach out to us or learn more at www.cimcor.com. That's spelled C, as in cat, I M C O R .com
Q: Robert always a pleasure talking with you can't wait to talk to you again. Thanks for joining us today,
A: I appreciate the opportunity, Zack. Can't wait to join your show again. Thank you
September 27, 2022