In most instances, new digital assets, such as servers and operating systems, come in an unconfigured state. When an asset is installed, everything is enabled by default. All application services are turned on, and all ports are open. At the same time, most new assets aren’t fully updated — they often require multiple software and firmware updates. Enter–System Hardening.
System hardening is the process of configuring an asset in line with security best practices to reduce its vulnerability to cyber-attacks. The process involves reducing the "attack surface" of the asset by disabling unnecessary services, user accounts, and ports.
The purpose of system hardening is simple. The smaller an asset’s attack surface — i.e., the fewer entry points it has — the harder it is for an attacker to gain unauthorized access.
Establishing a System Hardening Baseline
One of the most critical steps in system hardening is establishing a baseline. This requires an initial assessment of system ‘hardness’ against an established best practice framework.
We’ve previously discussed the function and importance of the Center for Internet Security’s (CIS) benchmarks. CIS benchmarks are a set of best practice configuration standards developed by consensus between a broad range of cybersecurity experts.
With over 100 benchmarks available for a wide range of common business technologies, CIS benchmarks are the globally accepted standard for secure configuration. That makes them an ideal choice for system hardening.
Identifying a baseline requires a manual or solution-assisted assessment of systems and assets to see how closely they align with the relevant CIS benchmarks. This initial assessment — along with clear documentation of any areas where configuration falls short of a benchmark — becomes the baseline.
From there, follow these two steps:
- Address configuration shortcomings
- Complete further assessments to an agreed schedule to ensure in-scope assets comply with CIS benchmarks and remain compliant over time.
Complete follow-up assessments as frequently as possible. If a configuration or file change causes an asset to fall out of compliance with a CIS benchmark, it becomes vulnerable to attack. The longer the asset remains non-compliant, the greater the risk it poses to the organization.
For this reason, many organizations use automated solutions to continually monitor files and system configuration to ensure non-compliance issues are identified and resolved quickly.
How To Harden a Network
Hardening a network is the process of eliminating vulnerabilities before an attacker can exploit them. To do this, three functions are needed:
Configuration Management
This is Cybersecurity 101. Before any network can be considered secure, it must be appropriately configured. In this case, appropriately means "in line with CIS Benchmarks."
As discussed in a previous post, there are two levels of CIS benchmarks, one for minimum coverage and another for ‘defense in depth’. Deciding which is appropriate for your network will depend on the organization’s risk tolerance and threat landscape.
Vulnerability and Patch Management
Securing a network is a task that never ends. New vulnerabilities are identified all the time, and vendors release patches for their products regularly. A formal scanning and remediation process is essential to network hardening.
Secure Development (SDLC)
Finally, for internally developed applications or services, having a formal process for using and assessing secure development practices is essential. Without it, new vulnerabilities will constantly be shipped into production, leaving the network vulnerable to cyber attacks.
Putting these three hardening functions in place lays the groundwork for a strong cybersecurity program. It ensures that there are no unnecessary entry points that an attacker could abuse, and the network is protected against common exploits. Without these preliminary steps, even highly sophisticated security technologies won’t be sufficient to protect a network from cyber-attacks.
CIS Hardened Images
Organizations use Virtual machines (VMs) for a variety of purposes, including providing computer access for users. VMs allow a server to mimic the function of numerous physical machines while enabling remote access, for example, from a user’s own device or a thin client.
Most of the time, VMs are created using a pre-made image supplied by the OS manufacturer. This saves a lot of time compared to creating a bespoke image, but it also creates a problem. Images available from suppliers come unconfigured, and hardening a newly created VM can be resource-intensive.
CIS Hardened Images are VM images configured to secure standards based on the relevant CIS Benchmark. Currently, they are available through AWS, GCP, and Microsoft Azure. They come with a report detailing the image’s compliance, including any exceptions to enable the image to run in the cloud.
CIS Hardened Images provide two obvious benefits:
- The images are certified to be in line with CIS benchmarks
- They are far less resource-intensive than manually hardening a base image.
Note, however, that using CIS Hardened Images doesn’t completely solve the problem of system hardening. While these images start from a position of compliance with CIS benchmarks, there is no guarantee they will stay that way.
To ensure they remain compliant, regular assessments must be completed to ensure that any configuration or file changes made have not caused a VM to drop below benchmark standards.
Why is System Hardening Important?
System hardening is an essential function for both security and compliance.
From a security standpoint, system hardening is an essential precursor to protective technologies like firewalls and EDRs. If a system isn’t sufficiently hardened — i.e., it isn’t configured and maintained in line with best practices — it will never be secure, no matter how much is spent on cybersecurity technologies.
At the same time, system hardening is mandated by all major compliance frameworks. For example, PCI-DSS requirement 2.2 requires organizations to:
“[...] develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with security accepted system hardening standards.”
What counts as an accepted system hardening standard? You guessed it: CIS Benchmarks.
All the major compliance frameworks, including PCI-DSS, HIPAA, and FedRAMP, point to CIS benchmarks as the accepted best practice. As a result, if your organization must comply with one or more frameworks, adhering to CIS benchmarks is essential.
Automate System Hardening with CimTrak
CimTrak is an IT integrity, security, and compliance toolset that automates assessing system hardness, identifying issues, and providing remediation guidance.
CimTrak continually scans your environment and assesses current asset configuration against CIS benchmarks. When a misconfiguration is identified, CimTrak raises an alert and offers clear guidance on re-establishing compliance. This functionality makes it easy for organizations to:
- Assess the current hardness of systems and assets.
CimTrak’s continuous scanning provides a real-time snapshot of system configuration compared to CIS benchmarks. - Instantly identify misconfigurations and non-compliance. Manual assessments are resource-intensive and only provide ‘point-in-time' assurance that a system is compliant. CimTrak ensures continual compliance and removes the need for manual assessments.
- Ensure systems remain ‘hard’ at all times. By providing an alert and clear remediation guidance whenever a non-compliance issue arises, CimTrak minimizes the attack surface of systems and assets.
Download the solution brief today to learn more about how CimTrak can help your organization harden its systems and achieve security and compliance objectives.
