Guide to Industry-Accepted Hardening Standards

The goal of systems hardening is to further protect your organization by reducing vulnerabilities in your applications, systems, and information technology infrastructure. By doing so, you’re creating less opportunity for malicious attacks and operational malfunctions because you are removing unnecessary programs, applications, and access points that increase the security of your system. Just as removing unnecessary hazards on a busy interstate increases traffic flow and reduces risk of accidents, removing unnecessary technology in your system decreases the risk of malicious activity and can increase overall operational productivity.

System Hardening Standards

For all the parts of your ever-changing systems, you want to prevent attacks and vulnerabilities as best you can. Hardening your network, servers, applications, database, and operating systems is a great start to meeting industry-accepted configuration standards. Your hardening standards will vary as your systems and technology will differ, but you can focus on developing standards to implement these five areas of system hardening:

Network Hardening

  • Firewall configuration
  • Regular network auditing
  • Limit users and secure access points
  • Block unnecessary network ports
  • Disallow anonymous access

Server Hardening

  • Administrative access and rights are allocated properly
  • Secure your data center where servers are located
  • Disallow shut down initiation without log in

Application Hardening

  • Application access control
  • Remove default passwords
  • Implement password best practices
  • Configure account lockout policy

Database Hardening

  • Implement admin restrictions on access
  • Encrypt data entering and leaving the database
  • Remove unused accounts

Operating System Hardening

  • Apply necessary updates and patches automatically
  • Remove unnecessary files, libraries, drivers, and functionality
  • Log all activity, errors, and warnings
  • Limit sharing and system permissions
  • Configure file system and registry permissions

The implementation of these hardening techniques is by no means a comprehensive approach to security, but it’s a great start to ensure your organization is headed in the right direction for a more secure information security program. By gathering the right tools and techniques, you can set yourself up for security success.

Industry-Recognized Experts on System Hardening

The information security industry has endless information on industry-accepted system hardening standards through experts such as CIS, NIST, and SANS. You can dive deeper into hardening standards through NIST’s National Checklist Program for IT Products, NIST’s Guide to General Server Security, and security hardening checklist examples from SANS and The University of Texas at Austin. These experts have extensive resources to provide you with industry-accepted standards for all your security needs. At KirkpatrickPrice, our security practices are influenced and built upon the foundation of these industry-recognized experts. As you establish your own system hardening techniques, you can turn to these experts and the information security specialists at KirkpatrickPrice for security guidance. Contact us, today, to learn how we can help you further establish your security presence.

More Resources

Compliance is Never Enough: Hardening and System Patching

PCI Requirement 6.2 – Ensure all Systems and Software are Protected from Known Vulnerabilities

SOC 2 Academy: Detect and Monitor Changes in Your System Configurations

5 Network Monitoring Tools and Techniques

Network monitoring is an important piece of information security that every organization should be implementing. Using helpful network monitoring tools, you can track performance issues and security problems to mitigate potential issues quickly. But, with such a saturated market, it can be overwhelming to choose a network monitoring tool that best fits your organization. To help you better track and monitor the security of your network continuously, we’ve pulled together five network monitoring tools to consider using.

5 Network Monitoring Tools

These network monitoring tools monitor various aspects of your network and include features such as SNMP, alerts, bandwidth monitoring, uptime/downtime, baseline threshold calculation, network mapping, network health, customizable reports, wireless infrastructure monitoring, and network performance. In no particular order, these five tools were discovered to aid in some of the top network security needs.

ManageEngine OpManager

ManageEngine OpManager is a network monitoring tool that continuously monitors devices such as routers, switches, firewalls, load balancers, wireless LAN controllers, servers, VMs, printers, and storage devices. Manage Engine OpManager must be installed on-site, but it comes with pre-configured network monitor device templates for increased ease-of-use.

Key features include:

  • Real-time network monitoring
  • Physical and virtual server monitoring
  • Multi-level thresholds
  • Customizable dashboards
  • WAN Link monitoring
  • SNMP monitoring
  • Email and SMS alerts
  • Automatic discovery

Paessler PRTG Network Monitor

Paessler PRTG Network Monitor allows organizations to monitor all their systems, devices, traffic, and applications in their IT infrastructure without additional plugins. You can choose between a number of sensors that will monitor areas of your network, such as bandwidth monitoring sensors, hardware parameters sensors, SNMP sensors, VOIP and QoS sensors, and others.

Key features include:

  • Integrated Technologies (SNMP, WMI, SSH, HTTP requests, SQL, and more)
  • Live-status dashboards
  • Email, push, or HTTP request alerts
  • Threshold-based alert system
  • Reports system
  • Scan for devices by IP segment

Solarwinds NPM

While Solarwinds Network Performance Manager has performance in the name, it is still a valuable network security monitoring tool because of the tracking of network elements such as servers, switches, and applications. Solarwinds NPM can jump from SNMP monitoring to packet analysis to give your organization greater control over the segmentation monitoring of your network and increase network security.

Key features include:

  • Critical path visualization
  • Intelligent mapping
  • WiFi monitoring and heat maps
  • Advanced alerting
  • SNMP monitoring
  • Discovers connected devices automatically

Nagios

Nagios is a monitoring and alerting engine designed to run natively on Linux systems. The open-source model of Nagios provides the opportunity for organizations to customize and adapt the system to meet their needs. The tool breaks down statuses into three categories – Current Network Status, Host Status Totals, and Service Status Totals. Through the use of APIs, you can integrate other services for true flexibility.

Key features include:

  • Performance dashboard
  • API integration
  • Availability reports
  • Alerting
  • Extended add-ons
  • Upgrade capabilities for Nagios XI

WhatsUp Gold

WhatsUp Gold is a tool that pulls infrastructure management, application performance management, and network monitoring all into one tool. It’s a user-friendly tool based on features with customizable pricing packages to fit your organization’s exact structure and network security needs.

Key features include:

  • Hybrid cloud monitoring
  • Real-time performance monitoring
  • Automatic report generation
  • Network mapping
  • Easy-to-use monitoring dashboard

Things to Consider When Choosing a Network Monitoring Tool

Scalability – Depending on the size of your organization and corresponding network size, you need to look for a tool that is able to accommodate that scale. Choose a network monitoring tool that grows in capability as your network grows in size.

Security vs. Performance Tracking – Network monitoring tools vary in the type of monitoring they perform. Network performance tracking tools focus on performance issues and data such as network traffic analysis and network delays. If your goal is to decrease security threats by early detection and prevention tactics, you should consider network security tracking tools.

Cost – The good news about the number of network monitoring tools out in the world is that there is an option for every organization. Whether you’re looking for a free tool to start with or ready to invest funds into a quality networking monitoring tool, there are plenty of options for you.

If you want to learn more about the various tools and techniques you can use to properly secure your network, contact KirkpatrickPrice today. As a firm, we do not partner with any of these tools, but we are passionate about consulting on which solution could benefit your network monitoring techniques.

More Resources

What is Network Penetration Testing?

Think Like a Hacker: Common Vulnerabilities Found in Networks

Know Your Options: Levels of Service for External Network Penetration Tests

Anti-Virus Best Practices: 5 Tools to Protect You

Anti-virus versus anti-malware – what’s the difference? These two categories of protective tools are often misunderstood. It stems from confusion between viruses and malware. A virus is code that can damage your computer, system, and data by copying itself. Malware is used as a catch-all term for malicious software such as spyware, ransomware, trojans, adware, worms, and viruses. Malware is ever evolving whereas viruses have been around for a long time and continue to stay generally the same. Wendy Zamora of Malwarebytes Labs expands further on these differences for you to gain better understanding as you follow anti-virus best practices.

Once you grasp these differences, you can turn your focus to the policies and tools you need to implement to protect against malicious attacks. We’ve gathered a list of five tools to get you started on proper anti-virus protection and a few tips on establishing thorough anti-virus policies to be implemented by your employees.

Protecting Through Anti-Virus Tools

In the world of information security, we often see Internet searches looking for help with Windows Defender or anti-virus for Macs, as well as questions about which anti-virus tools are the best to use. While this list isn’t exhaustive, it’s a good starting place if you’re looking to protect your systems with anti-virus software.

  1. Bitdefender – Bitdefender has enterprise security solutions for all business sizes that helps you manage your security from endpoint, to network, to cloud all of which can include anti-virus and anti-malware software.
  2. Kapersky – Kapersky has solutions to predict, prevent, detect, and respond to cyber threats through a number of adaptive security services.
  3. AVG Business – AVG Business offers security tools geared to small business security needs with software that automatically updates to keep your security up to date always. KirkpatrickPrice uses AVG Business to protect our own devices from viruses and various threats.
  4. McAfee – McAfee offers security solutions designed around your business outcomes – transformation, risk management, or automation and efficacy. All of these solutions come with protection against viruses and malware.
  5. Norton – Norton Small Business provides a single solution security service to protect all your devices according to your specific security needs, including malware protection and anti-virus software implementation.

Keep your data secure with anti-virus software that will detect threats, remove all malware, and protect against new threats. Once you’ve implemented anti-virus tools, you can turn your focus to developing detailed policies regarding anti-virus software.

Establishing Anti-Virus Policies

Don’t drop the ball by just adding anti-virus programs to company laptops and expecting that to protect you from all threats. Create policies that expand your protective efforts to ensure your software is patched, anti-virus tools are working effectively, and anti-virus mechanisms are maintained. The PCI framework includes a number of requirements regarding anti-virus and anti-malware software that can be referenced to develop your own policies. Let’s take a look at a few of the PCI requirements that can guide your anti-virus practices:

  • PCI Requirement 5.1.1 requires that your organization’s anti-virus program is capable of detecting all types of malware, removing all known types of malware, and protecting against all known types of malware.
  • PCI Requirement 5.2.1 states, “For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.”
  • PCI Requirement 5.2 exists to, “Ensure that all anti-virus mechanisms are maintained as follows: are kept current, perform periodic scans, and generate audit logs which are retained per PCI DSS Requirement 10.7”
  • PCI Requirement 5.3 states, “Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.”

These requirements express the need to create policies that will ensure your anti-virus software is kept up to date, effective, and purposeful as part of your information security program. Establish procedures that your organization can implement to further secure your systems and protect against malicious malware and unwanted viruses.

Educating Your Employees on Anti-Virus Best Practices

Once you’ve implemented an anti-virus tool, created policies to maintain that software, and established procedures to follow, you need to educate your employees on anti-virus best practices. Anti-virus training should be included in your annual organization-wide security awareness training. User education should be a top focus to ensure the work you’ve put into mitigating these threats is implemented all devices. Any small gap can lead to big problems, but your employees can be the first line of defense against these threats. If you’re interested in learning more about security awareness training and how regular education can improve your security posture, contact KirkpatrickPrice today.

More Resources

10 Ways to Conduct Patch Management

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

15 Must-Have Information Security Policies

Best Practices for Vulnerability Scanning

Vulnerability management should be a priority in any organization’s information security program so that there’s an established approach for identifying and rating issues affecting in-scope systems in a given environment. Vulnerability scans are a main component of vulnerability management, allowing you to evaluate your systems, software, and infrastructure for unpatched holes and gaps in need of remediation. Let’s talk through some best practices for vulnerability scanning to help you protect your assets.

How Often Should You Perform Vulnerability Scanning?

The frequency of vulnerability scanning depends on a few factors: organizational changes, compliance standards, and security program goals. If your organization is looking to maintain a high level of security, vulnerability scanning needs to be added to your information security program. Vulnerability scans should be conducted after any major system, organization, or infrastructure change to ensure you’re aware of any security gaps. And, of course, to comply with various regulations, annual, quarterly, or monthly vulnerability scanning may be required as part of your  information security program.

Overall, an industry best practice is to perform vulnerability scanning at least once per quarter. Quarterly vulnerability scans tend to catch any major security holes that need to be assessed, but depending on your unique organizational needs, you may end up performing scans monthly or even weekly. The best way to assess vulnerability scanning frequency is to thoroughly understand your own security structure and the threats you face.

Framework Requirements for Vulnerability Scanning

On your compliance journey, you’ll realize many compliance standards include requirements for regular vulnerability scanning. Some standards require a higher frequency of vulnerability scanning than others, yet most include vulnerability management to some degree. You can expect to see requirements for vulnerability scanning from these industry compliance and regulatory standards:

  • ISO 27001: Requires quarterly external and internal vulnerability scans
  • HIPAA: Requires a thorough risk assessment and vulnerability process, which can be identified with vulnerability scanning
  • PCI DSS: Requires quarterly external and internal scans conducted by an ASV (Approved Scanning Vendor)
  • FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems
  • NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)

How to Perform Vulnerability Scanning

Vulnerability scans are often confused with penetration tests, however they serve different purposes in your information security program. Vulnerability scanning is an automated process designed to highlight issues on a wide range of systems at regular intervals. With vulnerability scans, you can discover issues such as missing patches and vulnerable software packages. Penetration testing, however, is performed in both manual and automated forms with a more targeted goal in mind. Understanding the difference and value of these two tools is important so that you can conduct vulnerability scanning with the right expectations.

Vulnerability scanning is conducted with a variety of tools, such as the tools found in OWASP’s list, that can scan systems for various security vulnerabilities. When you hire someone to conduct your vulnerability scans, you’re hiring someone to use a tool on your system. Sometimes, other auditing firms will charge high fees for “manual vulnerability management,” when in reality, they’re using an automated tool to scan your environment. Don’t be fooled into overpriced services that complete the same scan as any helpful vulnerability scanning tool does.

At KirkpatrickPrice, we pride ourselves on honesty and integrity. When you look to us to perform vulnerability scanning services, you’ll know our processes and tools upfront. You can expect a thorough scan of your networks, system, and equipment to detect and classify any vulnerabilities. Interested in learning more about our vulnerability scanning services? Contact us, today.

More Vulnerability Management Resources

Auditor Insights: Vulnerability Assessments vs Penetration Testing

PCI Requirement 11.2.2 – Perform Quarterly External Vulnerability Scans via an Appropriate Scanning Vendor

10 Ways to Conduct Patch Management

Business Continuity Plan Checklist

The world is full of expected events. You never know when your organization will be hit with a disaster. Developing a detailed business continuity plan (BCP) is the best way to prepare your organization to jump into action when disaster strikes.

Every organization is different and will need a customized BCP that details their specific processes and procedures to implement in case of a disaster. What should you include in your business continuity plan? Check out our PDF that outlines the basics you can start with to create and document your BCP.

 

 

Documenting and Testing Your Business Continuity Plan

After you’ve created the basics of your plan, you need to document all the procedures. This process is critical to ensure you restore all functions of your organization if and when a disaster occurs. Don’t just rely on imagined processes to get you through. You need to have detailed procedures written down so that everyone in your organization can refer to your plan when necessary.

How can you know if your business continuity plan will work when you need it most? You need to regularly test your BCP to ensure all employees are trained and all procedures will accomplish their intended goals. Once you test your plan, you can review it for gaps and improve it for future implementation.

How KirkpatrickPrice Can Help

Our Information Security Auditors and Professional Writing Team have developed tools to provide customized help to organizations looking to further their business continuity plans. Whether you have yet to create a BCP or are just wanting an extra layer of assurance that it’s detailed enough, we are here to help. KirkpatrickPrice offers services that help you start from scratch with an understanding of your organization and operations, tools to help you create a detailed plan, and experts to walk you through documentation. We encourage regular testing in various forms, such as table-top exercises. Let’s work on securing your organization in the event a disaster strikes. Contact us, today, to learn how we can partner together.

More Resources

SOC 2 Academy: Testing Your Business Continuity Plan

Auditor Insights: Disaster Recovery and Business Continuity

Cloud Security: Business Continuity and Disaster Recovery Planning