In the past, the cybersecurity industry paid the most attention to technologies that either block threats or help organizations recover from them. These are solutions like firewalls, antivirus, and EDRs, which help protect a network from harm.
However, this obsession with protection missed a fundamental truth. Security isn’t something you do to a network — it’s an emergent property of building a network environment securely from the ground up.
If your network or assets aren’t set up securely, they will always be vulnerable — no matter how much you spend on security solutions. That’s where system hardening comes in.
What is System Hardening?
System hardening is the process of securing an asset — for example, a server, operating system, or application — by reducing its attack surface. That means configuring the asset in a way that cuts down the number of ways an attacker can gain access to it.
Out of the box, most software and hardware assets come in a state designed to make them easy to use — not one that’s secure. Typically, all services will be turned on, all ports open, and all applications active.
From a quick setup standpoint, that’s great. From a security perspective, it’s awful. There are known exploits and vulnerabilities for practically every asset you can think of, and leaving these weaknesses open is a surefire way of inviting malicious activity.
A hardened asset is an asset that has been configured for both functionality and security. Typically, this involves closing or disabling any port, service, user account, or application that isn’t required.
It’s not possible to lock down everything, of course, as that would often render the asset useless. However, by disabling everything that isn’t needed, and configuring the asset to protect against known vulnerabilities and exploits, you can drastically reduce the likelihood it will be compromised.
System hardening is an essential prerequisite for any cybersecurity program. It’s the solid foundation on which other security solutions can be mounted. After all, there’s no point in spending hundreds of thousands of dollars on the latest firewalls, EDRs, and IDP/IPS systems if your assets can be compromised in seconds by anyone with an Internet connection.
How To Approach System Hardening
In theory, any organization could set its own standards for system hardening.
But there’s a problem. Assets often have thousands of configuration options, which can change with each new version. Defining your own set of standards may be theoretically possible, but it would take a huge amount of time and resources to maintain it.
Instead, most organizations choose to work with an existing framework and best practices that are already accepted within their industry — either as a regulatory requirement or a preferred standard.
Right now, the two most popular options are DISA STIGs and the CIS Benchmarks.
What are DISA STIGs?
The Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIGs) are a set of best practice rules for installing and supporting IT systems. Each STIG relates to a specific asset — for example, an operation system, application, or piece of network hardware — and lays out the configuration and maintenance practices necessary to ensure that the asset is set up and managed securely.
Developed by DISA on behalf of the Department of Defense, STIGs are the accepted standards used by federal government organizations and contractors to ensure the security of government information.
Right now, there are almost 500 STIGs, accounting for more than 20,000 controls in total. STIGs are updated every 90 days, making them a highly relevant and up-to-date source of configuration guidance.
The application of STIGs for system hardening is obvious. This is a set of standards designed to ensure federal government information is kept securely, but it carries over well to any other industry. And, if your organization is a government contractor with access to DoD systems, compliance with relevant STIGs is more than good practice — it’s a regulatory requirement.
Because each STIG is so comprehensive, ensuring your organization complies with all relevant STIGs can be complex. However, once you have the systems and processes in place to achieve and maintain compliance, you will see a significant reduction in cyber risk.
Again system hardening — in this case, using DISA STIGs as a framework to achieve it — is about building a solid foundation, on top of which you can mount technology solutions. Once the foundation is built, half the battle is already won.
What are CIS Benchmarks?
Published by the Center for Internet Security (CIS), the CIS benchmarks are best-practice security configuration guides developed in collaboration with government organizations, businesses, academic institutions, and security industry experts.
Once again, the Benchmarks are designed to help organizations ‘harden’ digital assets. Over 100 benchmarks are available across 14 technology groups, including assets produced by Microsoft, Cisco, AWS, and IBM.
Although not a regulatory requirement, most major compliance frameworks — including PCI-DSS and HIPAA — have configuration requirements that map very closely to the CIS Benchmarks. Combined with regular updates and a broad range of inputs, this makes the Benchmarks an ideal system hardening framework for any organization.
Unlike DISA STIGs, each CIS Benchmark is split into two ‘tiers’ designed to accommodate different security and compliance needs.
- Level 1 helps an organization rapidly minimize its attack surface while prioritizing business functionality. Achieving Level 1 compliance across all assets is the minimum level of security an organization should aim to meet.
- Level 2 is a more robust set of requirements that prioritizes the organization’s security posture by promoting ‘defense in depth’. Level 2 compliance is essential for organizations that have high security and compliance needs, such as those in heavily regulated industries. Naturally, Level 2 compliance is more complex and resource-intensive to maintain.
All CIS benchmarks can be downloaded for free in PDF format via the CIS website. Each document is extremely thorough, with some running as long as 800+ pages.
As with DISA STIGs, ensuring compliance with CIS benchmarks across all assets can be a complex undertaking— particularly when relying on manual audits and interventions.
When it comes to securing Virtual Machines (VMs), one effective approach is to utilize CIS Hardened Images in conjunction with CIS Benchmark guidelines.
CIS Hardened Images are Virtual Machine (VM) images that have been configured to secure standards based on the relevant CIS Benchmark. Currently, they are available through AWS, GCP, Microsoft Azure, and Oracle Cloud marketplaces and come with a report that details the image's compliance, including any exceptions made to enable the image to run on the cloud.
Implementing a System Hardening Framework
Realistically, maintaining perfect compliance with either DISA STIGs or CIS Benchmarks is not possible using manual processes. With so many controls to meet and configuration options to manage, a manual approach that relies on frequent assessments is too slow and labor-intensive for most organizations.
So how do you ensure assets remain in a hardened state? This is where technology plays a crucial role.
An automated solution can make it much faster and less resource-intensive to implement and maintain compliance with a framework like DISA STIGs or the CIS Benchmarks. These solutions scan your environment to help you establish a secure configuration baseline, and help you quickly identify areas of non-compliance that need to be addressed.
Further, by continuously scanning your environment over time and highlighting misconfigurations as they arise, these solutions make it much easier to maintain compliance as well. From a system hardening perspective, this drastically reduces cyber risk and ensures vulnerabilities don’t creep into your environment over time.
Automate System Hardening with CimTrak
CimTrak is an IT integrity, security, and compliance toolset that automates the process of achieving and maintaining compliance with frameworks like DISA STIGs, CIS Benchmarks, and many more, continuously.
CimTrak continually monitors your environment and assesses asset configuration against your chosen framework. When an issue or misconfiguration is found, CimTrak raises an alert and provides clear evidence and guidance on how to resolve it.
This functionality makes it easy for organizations to:
- Assess network hardness. CimTrak continuously scans your environment and provides a real-time view of how system configuration compares with your chosen framework.
- Instantly identify issues and misconfigurations. Unlike manual assessments which provide ‘point-in-time’ insight, CimTrak makes it easy to ensure continuous compliance with your chosen framework while cutting out the huge time and resource burden required to conduct manual assessments.
- Ensure systems remain ‘hard’ at all times.. It’s easy for an asset to fall out of compliance with your chosen standard. With clear alerts and remediation guidance, CimTrak makes it easy to stay on top of non-compliance issues as they arise, minimizing the window of vulnerability.
To learn more about how CimTrak can help your organization harden its systems and achieve security and compliance objectives, download the CIS Benchmarks solution brief today.
June 15, 2023