Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Master Your Security Foundation: Harden Your Systems

According to a survey conducted by Tenable in late 2016, only 50% of our customers use our configuration auditing capabilities. That’s the bad news. The good news is that those who do use it really like it. But back to the bad news; Tenable and the Center for Internet Security sponsored a separate research project that found that only 55% of organizations enforce secure configuration standards for laptops, workstations and servers. That leaves a lot of systems with potentially unnecessarily open ports and services, weak or default passwords, overly broad user rights and other configuration weaknesses.

Note: The CIS Controls were formerly known as the Center for Internet Security Critical Security Controls (CSC).

If you’ve read my recent blog posts, you understand the importance of having only authorized devices and software on your network. The next step, according to the CIS Controls, is to securely configure (harden) the authorized hardware and software of your mobile devices, laptops, workstations and servers. The CIS is not alone in this recommendation – other security frameworks and compliance standards echo the importance of securely configuring your systems as well.

Standard

“Securely Configure your Systems” Control Objective

PCI DSS

2.2: Develop configuration standards for all system components.

NIST Cybersecurity Framework

PR.IP-1: Baseline configurations are created and maintained.

ISO/IEC 27002:2013

A.14.2.8: System security testing

A.18.2.3: Technical compliance review

NIST 800-53 rev 4

CM-2: Baseline configuration

CM-6 Configuration settings

CM-7 Least functionality

Even if you follow strict configuration management and provision secure “golden” images, you should still audit configurations frequently to identify the inevitable configuration drift that occurs as configurations are manually modified. Additionally, you should securely configure the entire stack, not just the operating system – especially for internet-facing servers. Don’t ignore virtualization, cloud infrastructure, container platforms, containers, web servers and database servers. Like the proverbial chain, security is only as strong as the weakest layer of the stack.

Configure the entire stack, not just the operating system

You can get started with configuration standards available from multiple sources. The CIS publishes more than three dozen Benchmarks, DISA publishes a number of Security Technical Implementation Guides (STIGs), and many vendors publish their own guidelines. You may need to tailor the standards to your organization’s specific requirements. The key is to get started!

Tenable can help

Tenable offers more than 300 configuration audit files that cover multiple versions of popular operating systems, cloud infrastructure, web servers, databases, Windows productivity apps and network devices. Additionally, SecurityCenter® 5 is fully certified against Security Content Automation Protocol (SCAP) 1.2. SCAP, a methodology used to evaluate vulnerability management, measurement and policy compliance of security software solutions, is recommended by CIS to streamline reporting and integration. It is also meets NIST and FISMA reporting requirements.

SecurityCenter offers three reporting mechanisms to address a range of requirements. Each can be scoped for specific business systems to focus results:

  • Reports by asset type list setting-by-setting and system-by-system audit results and identify settings requiring remediation.
  • Dashboards display compliance status, allowing users to drill into details as needed (see example below).
  • Assurance Report Cards (ARCs) communicate a compliance status overview that can be communicated to business owners and non-technical stakeholders (see example below).

 

CIS Audit Summary dashboard
The CIS Audit Summary dashboard organizes CIS Benchmark results by asset type. You can easily add and delete asset types to match your environment.

 

 

CIS CSC: Secure Configuration (CSC 3,11) ARC
The CIS CSC: Secure Configuration Assurance Report Card evaluates policy compliance and presents pass/fail results for policy test.

 

Learn more

The CIS Controls include seven sub-controls that support Secure Configurations for Hardware and Software. A detailed discussion of these sub-controls is beyond the scope of this blog – but we can help you learn more. Tenable is hosting a webinar on June 21st when we will dive into the control details, show you how Tenable can help and answer your questions. This webinar is the third of a five-part series that will explore each of the CIS Foundational Cyber Hygiene controls. Brian Ventura, a SANS community instructor, will be our expert guest presenter. Brian teaches a 2-day course, Critical Security Controls: Planning, Implementing and Auditing. He has also taught a 5-day course, Implementing and Auditing the Critical Security Controls – in Depth. In addition to presenting valuable content, we will reserve time for questions and answers.

Look for future blogs where I will discuss the remaining Foundational Cyber Hygiene controls:

  • Continuous vulnerability assessment and remediation
  • Controlled use of administrative privileges

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.