System Hardening and Vulnerability Management
When developing an information security strategy, the emphasis should always begin with prevention of attacks before detection.
Organizations suffer IT security breaches because they leave gaps in their defenses, gaps that are subsequently exploited. Protection from malware, hackers and even rogue insiders with admin rights requires tighter governance of system security than ever before.
Mitigation of known vulnerabilities through hardening of IT systems is the most effective way to render them secure, protecting the information being processed and stored. Other security defense measures will be used in a layered approach to protecting information assets, but system hardening is always the foundation security best practice.
Key Issues - System Hardening and Vulnerability Management
- How do you make systems truly secure?
- How do you get comprehensive and authoritative hardening checklists for all IT systems?
- How do you measure and maintain compliance with your hardened build standard and governance standard?
A hardened system is one that is fundamentally secure and rendered hack-proof. Hardening a device requires known security ‘vulnerabilities’ to be eliminated or mitigated. A ‘vulnerability’ is any weakness or flaw in software design, implementation, administration and configuration of a system, which provides a mechanism for an attacker to exploit. A secure, locked down configuration requires care to achieve a good balance between security and operational function.
Vulnerability management and maintaining a hardened build standard are inextricably linked to tight change control. Any configuration changes, be it a through patching or other system maintenance, may introduce vulnerabilities so visibility and control of changes is an essential security best practice.
Authoritative hardening checklists for all platforms, database systems and applications – CIS Benchmarks
While there are numerous reference sources for such checklists – The SANS Institute, NIST, Microsoft and Oracle all publish hardening best practice checklists, plus there are numerous guides and forums across the internet - these different sources can lead to contradictory advice, provided in inconsistent formats.
The Center for Internet Security are the information security industry’s Number One authority on secure-configuration guidance. CIS Benchmarks are recognized as the Industry-standard for System hardening and Vulnerability Mitigation guidance.
And because CIS Benchmark vulnerability mitigation intelligence is consensus-derived from a variety of manufacturer, security specialist and academic sources, this approach delivers the most complete and accurate hardening checklists available.
Included for each vulnerability is a detailed description, rationale and testing direction for auditing compliance. Where vulnerabilities are identified, easy-to-understand remediation advice is presented.
Best of all, CIS Benchmarks are consistently presented for all
- Windows, Linux and Unix platforms
- Database Systems such as SQL Server, Oracle, DB2 and MySQL
- Applications such as web servers, email servers, LDAP, DNS and Browsers
- Virtualization Platforms such as ESX Server
- Mobile platforms such as iOS and Android
- Network Devices and Firewalls such as Cisco, Juniper and CheckPoint
NNT are one of a handful of CIS Certified Vendors – NNT provide a full range of CIS Benchmark reports that can be used to audit enterprise networks and then monitor continuously for any drift from your hardened build-standard. This ensures systems stay within compliance 24/7.
Hardening checklists are usually lengthy, complex to understand and time-consuming to implement, even for one server, let alone a whole estate. A typical checklist for an operating system like Windows or Linux will run into hundreds of tests and settings.
The typical approach to testing for vulnerabilities and measuring compliance with a hardened build standard is to use a vulnerability scanner, such as Qualys®, Rapid 7®, Nessus® or Tripwire®/nCircle®.
There are two problems with this – first, scans are simply a snapshot of compliance and any configuration drift between scans will not be detected leaving systems vulnerable to attack until the next scheduled scan. The other major problem is that a scanner is blind to zero day threats and doesn’t provide any file integrity monitoring to detect breach activity. NNT’s non-stop file integrity monitoring provides continuous compliance assessment and real-time breach detection.
And the number one solution that delivers all the
key security and compliance benefits of file integrity monitoring is NNT Change Tracker™
Easiest To Use – Most Fully Featured – Most Affordable
Learn more about NNT Change Tracker here