Notes from the Field: CIS Control 4 – Secure Configuration of Enterprise Assets and Software
Next up in our series on the Center for Internet Security (CIS) Controls auditor, Greg Halpin will dive into Control 04- Secure Configuration of Enterprise Assets and Software. As a reminder, the CIS Controls are 18 information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data from attackers.
The CIS overview for Secure Configuration of Enterprise Assets and Software is – Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Why is this a critical control?
The CIS Controls document states this control is critical as systems and software are designed for ease of use and deployment, not for security. Default systems and software configurations are generally insecure. Attackers can exploit systems and software that have default user accounts and passwords, default protocols, and other insecure settings. The security settings and configurations need to be maintained over the life of the system or software. Changes to configurations need to be tracked for compliance purposes. The document includes consideration of services providers as they may implement looser controls to support their many customers.
The CIS Controls document lists security configuration checklists that systems administrators and security professionals can use to secure their systems, such as the NIST National Checklist Program and the CIS Benchmarks Program. The document then lists 11 steps for developing secure baselines. The document lists a number of safeguards or sub-controls in support of this control.
They include:
- Establish and Maintain a Secure Configuration Process
- Configure Automatic Session Locking on Enterprise Assets
- Implement and Manage a Firewall on Servers
- Manage Default Accounts on Enterprise Assets and Software
- Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
- Configure Trusted DNS Servers on Enterprise Assets
- Enforce Automatic Device Lockout on Portable End-User Devices
In my work as an information security auditor, I see some clients doing very good work in this area. They have detailed security configurations for their operating systems, software, and network devices. Others are not as diligent.
On a recent gap analysis engagement with a client that provided a web application, they explained how they secure their servers. They install the latest security patches and anti-virus software and change the administrator password. They also enable the firewall on their servers. I asked if they do anything beyond those steps. Unfortunately, they do not.
Let’s face it, that does not qualify as actually securing a system. I asked the company’s information security manager if he would feel confident using a vendor which had such minimal controls in place. He grimaced for a few seconds and finally said no. He would expect much more. Just as his company’s customers expect more from him and the information security team to secure their data.
I discussed how other companies have much more rigorous controls. They may even have a checklist of 20 or 30 security settings they change. Still, others implement hundreds of individual security settings from Security Technical Implementation Guides (STIGs) or the CIS Benchmarks for operating systems, software, and network devices. Normally implementing this number of controls is done via scripts or Group Policy. There are also tools that can verify systems always maintain the desired configuration. For Linux systems, clients often use Chef or Puppet. In AWS they may use Terraform to deploy and maintain secure configurations. In support of securing their systems, organizations run vulnerability scans to further identify weaknesses and take appropriate action.
With a background in a Department of Defense environment, I have spent a lot of time implementing controls from STIGs and the CIS Benchmarks for Windows, Linux, and VMware. I highly recommend the CIS Benchmarks to clients to review and implement. The CIS produces the benchmarks for many operating systems, network devices, software, and cloud environments.
The PDF document that lists the controls for Windows 2019 Server, for example, is over 900 pages long. It gets into every detail of securing a Windows Server. The benchmark for Amazon Linux 2 is almost 400 pages long. The benchmarks can help guide the way to securing systems for information technology professionals that don’t know where to begin regarding properly securing their organization’s systems. Securely configuring enterprise assets and software also demonstrates a level of due diligence in support of protecting your company’s and customers’ data and systems.
Work with a KirkpatrickPrice expert to make sure your environment is configured securely.
Properly implementing CIS control 04 will help secure your organization’s assets, but we know that implementing this control can be overwhelming. If you need help configuring your organization’s environment, connect with a KirkpatrickPrice expert today.
About the Author
Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications. He enjoys working with people and organizations to help them secure their networks and systems. Greg lives in Happy Valley, PA.