How To Reduce Your Attack Surface with System Hardening
In most instances, new digital assets, such as servers and operating systems, come in an unconfigured state. When an asset is installed, everything is enabled by default. All application services are turned on, and all ports are open. At the same time, most new assets aren’t fully updated — they often require multiple software and firmware updates. This is where system hardening comes in.
System hardening is the process of configuring an asset in line with security best practices to reduce its vulnerability to cyber attacks. The process involves reducing the ‘attack surface’ of the asset by disabling unnecessary services, user accounts, and ports.
The purpose of system hardening is simple. The smaller an asset’s attack surface — i.e., the fewer entry points it has — the harder it is for an attacker to gain unauthorized access.
Establishing a System Hardening Baseline
One of the most important steps in system hardening is to establish a baseline. This requires an initial assessment of system ‘hardness’ against an established best practice framework.
In a recent post, we discussed the function and importance of the Center for Internet Security’s (CIS) benchmarks. CIS benchmarks are a set of best practice configuration standards developed by consensus between a broad range of cybersecurity experts.
With over 100 benchmarks available for a wide range of common business technologies, CIS benchmarks are the globally accepted standard for secure configuration. That makes them an ideal choice for system hardening.
Identifying a baseline requires a manual or solution-assisted assessment of systems and assets to see how closely they align with the relevant CIS benchmarks. This initial assessment — along with clear documentation of any areas where configuration falls short of a benchmark — becomes the baseline.
From there, two steps are required:
Configuration shortcomings should be addressed; and,
Further assessments should be completed to an agreed schedule to ensure in-scope assets are brought into compliance with CIS benchmarks and remain compliant over time.
Follow-up assessments should be completed as frequently as possible. If a configuration or file change causes an asset to fall out of compliance with a CIS benchmark, it becomes vulnerable to attack. The longer the asset remains non-compliant, the greater the risk it poses to the organization.
For this reason, many organizations use automated solutions to continually monitor files and system configuration to ensure non-compliance issues are identified and resolved quickly.
How To Harden a Network
Hardening a network is the process of eliminating vulnerabilities before they can be exploited by an attacker. To do this, three functions are needed:
This is cybersecurity 101. Before any network can be considered secure, it must be configured properly. In this case, properly means ‘in line with CIS benchmarks’.
As we discussed in our previous post, there are two levels of CIS benchmarks, one for minimum coverage and another for ‘defense in depth’. Deciding which is appropriate for your network will depend on the organization’s risk tolerance and threat landscape.
Vulnerability and Patch Management
Securing a network is a task that never ends. New vulnerabilities are identified all the time, and vendors release patches for their products regularly. Having a formal scanning and remediation process is an essential component of network hardening.
Secure Development (SDLC)
Finally, for internally developed applications or services, having a formal process for using and assessing secure development practices is essential. Without it, new vulnerabilities will constantly be shipped into production, leaving the network vulnerable to cyber attacks.
Putting these three hardening functions in place lays the groundwork for a strong cybersecurity program. It ensures that there are no unnecessary entry points that could be abused by an attacker, and the network is protected against common exploits. Without these preliminary steps, even highly sophisticated security technologies won’t be sufficient to protect a network from cyber attacks.
CIS Hardened Images
Virtual machines (VMs) are used by organizations for a variety of purposes, including to provide computer access for users. VMs allow a server to mimic the function of numerous physical machines while enabling remote access, for example, from a user’s own device or a thin client.
Most of the time, VMs are created using a pre-made image supplied by the OS manufacturer. This saves a lot of time compared to creating a bespoke image, but it also creates a problem. Images available from suppliers come in an unconfigured state, and it can be resource intensive to harden a newly created VM.
CIS Hardened Images are VM images which have been configured to secure standards, based on the relevant CIS Benchmark. Currently, they are available through AWS, GCP, and Microsoft Azure, and come with a report that details the image’s compliance, including any exceptions made to enable the image to run in the cloud.
CIS Hardened Images provide two obvious benefits:
The images are certified to be in line with CIS benchmarks; and,
They are far less resource-intensive than manually hardening a base image.
Note, however, that using CIS Hardened Images doesn’t completely solve the problem of system hardening. While these images start from a position of compliance with CIS benchmarks, there is no guarantee they will stay that way.
To ensure they remain compliant, regular assessments must be completed to ensure that any configuration or file changes made have not caused a VM to drop below benchmark standards.
Why is System Hardening Important?
System hardening is an essential function for both security and compliance.
From a security standpoint, system hardening is an essential precursor to protective technologies like firewalls and EDRs. If a system isn’t sufficiently hardened — i.e., it isn’t configured and maintained in line with best practices — it will never be secure, no matter how much is spent on cybersecurity technologies.
At the same time, system hardening is mandated by all major compliance frameworks. For example, PCI-DSS requirement 2.2 requires organizations to:
“[...] develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with security accepted system hardening standards.”
What counts as an accepted system hardening standard? You guessed it: CIS benchmarks.
In fact, all the major compliance frameworks, including PCI-DSS, HIPAA, and FedRAMP, point to CIS benchmarks as the accepted best practice. As a result, if your organization needs to be compliant with one or more frameworks, adhering to CIS benchmarks is essential.
Automate System Hardening with CimTrak
CimTrak is an IT integrity, security, and compliance toolset that automates the process of assessing system hardness, identifying issues, and providing remediation guidance.
CimTrak continually scans your environment and assesses current asset configuration against CIS benchmarks. When a misconfiguration is identified, CimTrak raises an alert and provides clear guidance on how to re-establish compliance. This functionality makes it easy for organizations to:
Assess the current hardness of systems and assets
CimTrak’s continuous scanning provides a real-time snapshot of system configuration compared to CIS benchmarks.
Instantly identify misconfigurations and non-compliance. Manual assessments are resource intensive and only provide ‘point-in-time’ assurance that a system is compliant. CimTrak ensures continual compliance and removes the need for manual assessments.
Ensure systems remain ‘hard’ at all times. By providing an alert and clear remediation guidance whenever a non-compliance issue arises, CimTrak minimizes the attack surface of systems and assets.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".