Secure Configurations - Top 20 Security Controls

August 2021 | Michael Wetherald

Top 20 Critical Security Controls Series

In this article, we continue our blog series on the industry standard top 20 critical security controls -- sometimes referred to as the SANS top 20 or CIS Critical Security Controls. These controls provide your organization a set of best practices for protecting your organization from the most common attacks faced around the world.

POSTER | SANS 20 CRITICAL SECURITY CONTROLS - DL & Print crucial info for defending your org. http://t.co/MbpeDjiwRz pic.twitter.com/nqWx9oRl5t

— SANS Institute (@SANSInstitute) July 3, 2015

Basic Security Controls

Controls 1-6 are considered the basic controls every organization should employ to have a solid foundation to build from:

• Inventory and Management of Hardware Assets
• Inventory and Management of Software Assets
• Vulnerability Management
• Controlled Use of Administrator Privileges
• Secure Configuration for Hardware and Software
• Maintenance, Monitoring and Analysis of Audit Logs

#5: Secure Configurations

It is very common for default configurations of hardware and software to be designed to make it quick and easy for you to get the hardware or software working. This often comes at the expense of security. You cannot reasonably expect your users to go through the hundreds or even thousands of configuration options picking those that will provide the optimal level of functionality and security. So you need procedures for establishing and maintaining secure configurations in your environment.

Why Is This Control Important?

You might be tempted to think "all of my software is up to date, so it's secure". But even software configured in an insecure manner will be vulnerable to exploitation regardless of which version of it is running. Without a system for managing secure configurations, you increase the likelihood of insecure configurations existing in your environment.

How to Implement This Control

This control involves the establishing, implementing, maintaining, and monitoring configurations in your environment

Establish Secure Configurations

Rather than starting from scratch with your configurations, you can use configurations provided by organizations like the National Institute of Standards and Technology or Center for Internet Security. These configurations are provided free of charge and should be used as a baseline to carefully deviate from.

Establish and Secure Master Images

The biggest takeaway from this section is to ensure your configurations are applied to new or compromised hosts in your environment. The image you receive freshly installed from the manufacturer is almost certainly not going to match your established secure configurations, so you are going to need to reconfigure every new device you get. Hosts in your environment that need to be reimaged will need to have those secure configurations reapplied as well. The best way to achieve this is to establish and securely store master images for all of the devices in your network.

Utilize System Configuration Management Tools

Instead of running around trying to manually manage configurations on all of your hosts, implement a system configuration management tool to deploy configurations for the operating system and applications running on the devices in your environment. These tools should be set to automatically redeploy your configurations at a regularly scheduled interval to ensure the devices remain configured properly.

Automated Configuration Monitoring

Lastly, implement an automated SCAP compliant configuration monitoring system to verify your hosts are receiving and properly implementing your secure configurations. Alerts should be issued when hosts are found to have had unauthorized changes made to their configurations. The goal is to make sure the hosts in your environment are securely configured. It only takes one misconfigured host for an attacker to gain access. Without tracking and reporting on configurations, you will inevitably have some hosts slip through the cracks.

Conclusion

Be sure to check out the next article in our series, where we cover security control #6: Maintenance, Monitoring and Analysis of Audit Logs

Establishing and maintaining secure configurations for the hosts in your environment is a critical step in reducing cybersecurity risk facing your organization. Viam is here to help guide you through implementing this control at your organization. Contact us today if you are ready to take steps to reduce the cybersecurity risk in your organization.