Guide to Industry-Accepted Hardening Standards

The goal of systems hardening is to further protect your organization by reducing vulnerabilities in your applications, systems, and information technology infrastructure. By doing so, you’re creating less opportunity for malicious attacks and operational malfunctions because you are removing unnecessary programs, applications, and access points that increase the security of your system. Just as removing unnecessary hazards on a busy interstate increases traffic flow and reduces risk of accidents, removing unnecessary technology in your system decreases the risk of malicious activity and can increase overall operational productivity.

System Hardening Standards

For all the parts of your ever-changing systems, you want to prevent attacks and vulnerabilities as best you can. Hardening your network, servers, applications, database, and operating systems is a great start to meeting industry-accepted configuration standards. Your hardening standards will vary as your systems and technology will differ, but you can focus on developing standards to implement these five areas of system hardening:

Network Hardening

  • Firewall configuration
  • Regular network auditing
  • Limit users and secure access points
  • Block unnecessary network ports
  • Disallow anonymous access

Server Hardening

  • Administrative access and rights are allocated properly
  • Secure your data center where servers are located
  • Disallow shut down initiation without log in

Application Hardening

  • Application access control
  • Remove default passwords
  • Implement password best practices
  • Configure account lockout policy

Database Hardening

  • Implement admin restrictions on access
  • Encrypt data entering and leaving the database
  • Remove unused accounts

Operating System Hardening

  • Apply necessary updates and patches automatically
  • Remove unnecessary files, libraries, drivers, and functionality
  • Log all activity, errors, and warnings
  • Limit sharing and system permissions
  • Configure file system and registry permissions

The implementation of these hardening techniques is by no means a comprehensive approach to security, but it’s a great start to ensure your organization is headed in the right direction for a more secure information security program. By gathering the right tools and techniques, you can set yourself up for security success.

Industry-Recognized Experts on System Hardening

The information security industry has endless information on industry-accepted system hardening standards through experts such as CIS, NIST, and SANS. You can dive deeper into hardening standards through NIST’s National Checklist Program for IT Products, NIST’s Guide to General Server Security, and security hardening checklist examples from SANS and The University of Texas at Austin. These experts have extensive resources to provide you with industry-accepted standards for all your security needs. At KirkpatrickPrice, our security practices are influenced and built upon the foundation of these industry-recognized experts. As you establish your own system hardening techniques, you can turn to these experts and the information security specialists at KirkpatrickPrice for security guidance. Contact us, today, to learn how we can help you further establish your security presence.

More Resources

Compliance is Never Enough: Hardening and System Patching

PCI Requirement 6.2 – Ensure all Systems and Software are Protected from Known Vulnerabilities

SOC 2 Academy: Detect and Monitor Changes in Your System Configurations

5 Network Monitoring Tools and Techniques

Network monitoring is an important piece of information security that every organization should be implementing. Using helpful network monitoring tools, you can track performance issues and security problems to mitigate potential issues quickly. But, with such a saturated market, it can be overwhelming to choose a network monitoring tool that best fits your organization. To help you better track and monitor the security of your network continuously, we’ve pulled together five network monitoring tools to consider using.

5 Network Monitoring Tools

These network monitoring tools monitor various aspects of your network and include features such as SNMP, alerts, bandwidth monitoring, uptime/downtime, baseline threshold calculation, network mapping, network health, customizable reports, wireless infrastructure monitoring, and network performance. In no particular order, these five tools were discovered to aid in some of the top network security needs.

ManageEngine OpManager

ManageEngine OpManager is a network monitoring tool that continuously monitors devices such as routers, switches, firewalls, load balancers, wireless LAN controllers, servers, VMs, printers, and storage devices. Manage Engine OpManager must be installed on-site, but it comes with pre-configured network monitor device templates for increased ease-of-use.

Key features include:

  • Real-time network monitoring
  • Physical and virtual server monitoring
  • Multi-level thresholds
  • Customizable dashboards
  • WAN Link monitoring
  • SNMP monitoring
  • Email and SMS alerts
  • Automatic discovery

Paessler PRTG Network Monitor

Paessler PRTG Network Monitor allows organizations to monitor all their systems, devices, traffic, and applications in their IT infrastructure without additional plugins. You can choose between a number of sensors that will monitor areas of your network, such as bandwidth monitoring sensors, hardware parameters sensors, SNMP sensors, VOIP and QoS sensors, and others.

Key features include:

  • Integrated Technologies (SNMP, WMI, SSH, HTTP requests, SQL, and more)
  • Live-status dashboards
  • Email, push, or HTTP request alerts
  • Threshold-based alert system
  • Reports system
  • Scan for devices by IP segment

Solarwinds NPM

While Solarwinds Network Performance Manager has performance in the name, it is still a valuable network security monitoring tool because of the tracking of network elements such as servers, switches, and applications. Solarwinds NPM can jump from SNMP monitoring to packet analysis to give your organization greater control over the segmentation monitoring of your network and increase network security.

Key features include:

  • Critical path visualization
  • Intelligent mapping
  • WiFi monitoring and heat maps
  • Advanced alerting
  • SNMP monitoring
  • Discovers connected devices automatically

Nagios

Nagios is a monitoring and alerting engine designed to run natively on Linux systems. The open-source model of Nagios provides the opportunity for organizations to customize and adapt the system to meet their needs. The tool breaks down statuses into three categories – Current Network Status, Host Status Totals, and Service Status Totals. Through the use of APIs, you can integrate other services for true flexibility.

Key features include:

  • Performance dashboard
  • API integration
  • Availability reports
  • Alerting
  • Extended add-ons
  • Upgrade capabilities for Nagios XI

WhatsUp Gold

WhatsUp Gold is a tool that pulls infrastructure management, application performance management, and network monitoring all into one tool. It’s a user-friendly tool based on features with customizable pricing packages to fit your organization’s exact structure and network security needs.

Key features include:

  • Hybrid cloud monitoring
  • Real-time performance monitoring
  • Automatic report generation
  • Network mapping
  • Easy-to-use monitoring dashboard

Things to Consider When Choosing a Network Monitoring Tool

Scalability – Depending on the size of your organization and corresponding network size, you need to look for a tool that is able to accommodate that scale. Choose a network monitoring tool that grows in capability as your network grows in size.

Security vs. Performance Tracking – Network monitoring tools vary in the type of monitoring they perform. Network performance tracking tools focus on performance issues and data such as network traffic analysis and network delays. If your goal is to decrease security threats by early detection and prevention tactics, you should consider network security tracking tools.

Cost – The good news about the number of network monitoring tools out in the world is that there is an option for every organization. Whether you’re looking for a free tool to start with or ready to invest funds into a quality networking monitoring tool, there are plenty of options for you.

If you want to learn more about the various tools and techniques you can use to properly secure your network, contact KirkpatrickPrice today. As a firm, we do not partner with any of these tools, but we are passionate about consulting on which solution could benefit your network monitoring techniques.

More Resources

What is Network Penetration Testing?

Think Like a Hacker: Common Vulnerabilities Found in Networks

Know Your Options: Levels of Service for External Network Penetration Tests

Anti-Virus Best Practices: 5 Tools to Protect You

Anti-virus versus anti-malware – what’s the difference? These two categories of protective tools are often misunderstood. It stems from confusion between viruses and malware. A virus is code that can damage your computer, system, and data by copying itself. Malware is used as a catch-all term for malicious software such as spyware, ransomware, trojans, adware, worms, and viruses. Malware is ever evolving whereas viruses have been around for a long time and continue to stay generally the same. Wendy Zamora of Malwarebytes Labs expands further on these differences for you to gain better understanding as you follow anti-virus best practices.

Once you grasp these differences, you can turn your focus to the policies and tools you need to implement to protect against malicious attacks. We’ve gathered a list of five tools to get you started on proper anti-virus protection and a few tips on establishing thorough anti-virus policies to be implemented by your employees.

Protecting Through Anti-Virus Tools

In the world of information security, we often see Internet searches looking for help with Windows Defender or anti-virus for Macs, as well as questions about which anti-virus tools are the best to use. While this list isn’t exhaustive, it’s a good starting place if you’re looking to protect your systems with anti-virus software.

  1. Bitdefender – Bitdefender has enterprise security solutions for all business sizes that helps you manage your security from endpoint, to network, to cloud all of which can include anti-virus and anti-malware software.
  2. Kapersky – Kapersky has solutions to predict, prevent, detect, and respond to cyber threats through a number of adaptive security services.
  3. AVG Business – AVG Business offers security tools geared to small business security needs with software that automatically updates to keep your security up to date always. KirkpatrickPrice uses AVG Business to protect our own devices from viruses and various threats.
  4. McAfee – McAfee offers security solutions designed around your business outcomes – transformation, risk management, or automation and efficacy. All of these solutions come with protection against viruses and malware.
  5. Norton – Norton Small Business provides a single solution security service to protect all your devices according to your specific security needs, including malware protection and anti-virus software implementation.

Keep your data secure with anti-virus software that will detect threats, remove all malware, and protect against new threats. Once you’ve implemented anti-virus tools, you can turn your focus to developing detailed policies regarding anti-virus software.

Establishing Anti-Virus Policies

Don’t drop the ball by just adding anti-virus programs to company laptops and expecting that to protect you from all threats. Create policies that expand your protective efforts to ensure your software is patched, anti-virus tools are working effectively, and anti-virus mechanisms are maintained. The PCI framework includes a number of requirements regarding anti-virus and anti-malware software that can be referenced to develop your own policies. Let’s take a look at a few of the PCI requirements that can guide your anti-virus practices:

  • PCI Requirement 5.1.1 requires that your organization’s anti-virus program is capable of detecting all types of malware, removing all known types of malware, and protecting against all known types of malware.
  • PCI Requirement 5.2.1 states, “For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.”
  • PCI Requirement 5.2 exists to, “Ensure that all anti-virus mechanisms are maintained as follows: are kept current, perform periodic scans, and generate audit logs which are retained per PCI DSS Requirement 10.7”
  • PCI Requirement 5.3 states, “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.”

These requirements express the need to create policies that will ensure your anti-virus software is kept up to date, effective, and purposeful as part of your information security program. Establish procedures that your organization can implement to further secure your systems and protect against malicious malware and unwanted viruses.

Educating Your Employees on Anti-Virus Best Practices

Once you’ve implemented an anti-virus tool, created policies to maintain that software, and established procedures to follow, you need to educate your employees on anti-virus best practices. Anti-virus training should be included in your annual organization-wide security awareness training. User education should be a top focus to ensure the work you’ve put into mitigating these threats is implemented all devices. Any small gap can lead to big problems, but your employees can be the first line of defense against these threats. If you’re interested in learning more about security awareness training and how regular education can improve your security posture, contact KirkpatrickPrice today.

More Resources

10 Ways to Conduct Patch Management

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

15 Must-Have Information Security Policies

Best Practices for Vulnerability Scanning

Vulnerability management should be a priority in any organization’s information security program so that there’s an established approach for identifying and rating issues affecting in-scope systems in a given environment. Vulnerability scans are a main component of vulnerability management, allowing you to evaluate your systems, software, and infrastructure for unpatched holes and gaps in need of remediation. Let’s talk through some best practices for vulnerability scanning to help you protect your assets.

How Often Should You Perform Vulnerability Scanning?

The frequency of vulnerability scanning depends on a few factors: organizational changes, compliance standards, and security program goals. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program. Vulnerability scans should be conducted after any major system, organization, or infrastructure change to ensure you’re aware of any security gaps. And, of course, to comply with various regulations, annual, quarterly, or monthly vulnerability scanning may be required as part of your  information security program.

Overall, an industry best practice is to perform vulnerability scanning at least once per quarter. Quarterly vulnerability scans tend to catch any major security holes that need to be assessed, but depending on your unique organizational needs, you may end up performing scans monthly or even weekly. The best way to assess vulnerability scanning frequency is to thoroughly understand your own security structure and the threats you face.

Framework Requirements for Vulnerability Scanning

On your compliance journey, you’ll realize many compliance standards include requirements for regular vulnerability scanning. Some standards require a higher frequency of vulnerability scanning than others, yet most include vulnerability management to some degree. You can expect to see requirements for vulnerability scanning from these industry compliance and regulatory standards:

  • ISO 27001: Requires quarterly external and internal vulnerability scans
  • HIPAA: Requires a thorough risk assessment and vulnerability process, which can be identified with vulnerability scanning
  • PCI DSS: Requires quarterly external and internal scans conducted by an ASV (Approved Scanning Vendor)
  • FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems
  • NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)

How to Perform Vulnerability Scanning

Vulnerability scans are often confused with penetration tests, however they serve different purposes in your information security program. Vulnerability scanning is an automated process designed to highlight issues on a wide range of systems at regular intervals. With vulnerability scans, you can discover issues such as missing patches and vulnerable software packages. Penetration testing, however, is performed in both manual and automated forms with a more targeted goal in mind. Understanding the difference and value of these two tools is important so that you can conduct vulnerability scanning with the right expectations.

Vulnerability scanning is conducted with a variety of tools, such as the tools found in OWASP’s list, that can scan systems for various security vulnerabilities. When you hire someone to conduct your vulnerability scans, you’re hiring someone to use a tool on your system. Sometimes, other auditing firms will charge high fees for “manual vulnerability management,” when in reality, they’re using an automated tool to scan your environment. Don’t be fooled into overpriced services that complete the same scan as any helpful vulnerability scanning tool does.

At KirkpatrickPrice, we pride ourselves on honesty and integrity. When you look to us to perform vulnerability scanning services, you’ll know our processes and tools upfront. You can expect a thorough scan of your networks, system, and equipment to detect and classify any vulnerabilities. Interested in learning more about our vulnerability scanning services? Contact us, today.

More Vulnerability Management Resources

Auditor Insights: Vulnerability Assessments vs Penetration Testing

PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Appropriate Scanning Vendor

10 Ways to Conduct Patch Management

ISO 27001 Certification vs. ISO 27001 Audit: What’s the Difference?

Do you want to demonstrate your commitment to security to global business partners? An ISO 27001 report provides organizations with an evolving ISMS that can adapt to new challenges and validates your commitment to security. It can also help you prioritize your information security budget and resources based on risk, because ISO 27001 is customized for your environment and your specific risks. Undergoing an ISO 27001 audit is also a way to be proactive in your information security and compliance efforts, which could be just what you need to stay ahead in your industry. So, what does the ISO 27001 certification process look like and who can perform an ISO 27001 audit? What’s the difference between ISO 27001 certification and an ISO 27001 audit?

The ISO 27001 Certification Process

In order for your organization to become ISO 27001 certified, there are a few steps you’ll have to take. To get the ISO 27001 certification process started, we suggest undergoing a gap analysis to identify any potential vulnerabilities. From there, you’ll remediate the findings and then begin the audit, which is comprised of two stages.

Stage 1 Audit

During your Stage 1 audit, or the “Documentation Review” audit, an external auditor will review your organization’s prepared ISMS documentation to ensure that is compliant with the ISO 27001 requirements.

Stage 2 Audit

Once you’ve completed the Stage 1 audit, your external auditor will evaluate the fairness and suitability of your information security management, controls, and practices. If your external auditor deems your organization’s ISMS compliant with the ISO 27001 requirements, they will recommend you for certification. ISO 27001 certification is a separate process involved a certifying body.

Value of an ISO 27001 Audit Without Certification

Did you know that many organizations opt to undergo the ISO 27001 audit and not pursue certification? It’s true. You might now be wondering, “Why would you pursue an audit and not want to get the certification?” The bottom line is because certification is not required. Instead, if you decide to pursue an ISO 27001 audit without certification, you will still receive an ISO 27001 report to offer clients and stakeholders who need assurance of your ISMS’ effectiveness, and you only need to work with one firm for your ISO 27001 needs.

Who Can Perform ISO 27001 Audits?

While both internal and external auditors can use the ISO 27001 framework to perform the Stage 1 audit and assess an organization’s ability to meet their information security requirements, using an external auditor is always wise. Here’s why.

When you pursue an ISO 27001 certification, best practice is to hire one firm to perform the audit and a separate firm for the certification process. This process may seem tedious, but it instills independence so that conflict of interest is never a concern.

KirkpatrickPrice only offers ISO 27001 audits and consulting. Our firm is not a certifying body, so any quotes on our ISO 27001 services will never include certification. If you are considering working with a firm that offers both auditing and certification services or has a partnership with another organization in order to offer both, this is a red flag. It indicates a lack of integrity and a conflict of interest, which could have negative implications on your audit and certification.

Have questions getting started on your ISO 27001 audit journey? Contact us today, and we’ll get you started.

More ISO 27001 Resources

ISO 27001 FAQs: Information Security Management for Your Organization

Choosing Between SOC 2 and ISO 27001 Audits

Was the Gap Worth It?