System Hardening and Vulnerability Management
When developing an information security strategy, the emphasis should always begin with prevention of attacks before detection.
IT products are designed to be easy to use, quick to deliver results and requiring as little user intervention as possible.
All of which, of course, are in direct conflict with the objectives of maximizing system security. As a consequence, default security configuration settings for any operating system, database system or network device are typically weak. Hackers of the world know which moves and holds to try in order to break-into or disrupt systems so countermeasures are needed but you also need to protect systems from privileged internal users who may choose to abuse their system permissions.
Organizations suffer IT security breaches because they leave gaps in their defenses, gaps that are subsequently exploited. Protection from malware, hackers and even rogue insiders with admin rights requires tighter governance of system security than ever before.
Mitigation of known vulnerabilities through hardening of IT systems is the most effective way to render them secure, protecting the information being processed and stored. Other security defense measures will be used in a layered approach to protecting information assets, but system hardening is always the foundation security best practice.
Key Issues - System Hardening and Vulnerability Management
A hardened system is one that is fundamentally secure and rendered hack-proof. Hardening a device requires known security ‘vulnerabilities’ to be eliminated or mitigated. A ‘vulnerability’ is any weakness or flaw in software design, implementation, administration and configuration of a system, which provides a mechanism for an attacker to exploit. A secure, locked down configuration requires care to achieve a good balance between security and operational function.
Vulnerability management and maintaining a hardened build standard are inextricably linked to tight change control. Any configuration changes, be it a through patching or other system maintenance, may introduce vulnerabilities so visibility and control of changes is an essential security best practice.
Authoritative hardening checklists for all platforms, database systems and applications – CIS Benchmarks
While there are numerous reference sources for such checklists – The SANS Institute, NIST, Microsoft and Oracle all publish hardening best practice checklists, plus there are numerous guides and forums across the internet - these different sources can lead to contradictory advice, provided in inconsistent formats.
The Center for Internet Security are the information security industry’s Number One authority on secure-configuration guidance. CIS Benchmarks are recognized as the Industry-standard for System hardening and Vulnerability Mitigation guidance.
And because CIS Benchmark vulnerability mitigation intelligence is consensus-derived from a variety of manufacturer, security specialist and academic sources, this approach delivers the most complete and accurate hardening checklists available.
Included for each vulnerability is a detailed description, rationale and testing direction for auditing compliance. Where vulnerabilities are identified, easy-to-understand remediation advice is presented.
Best of all, CIS Benchmarks are consistently presented for all
- Windows, Linux and Unix platforms
- Database Systems such as SQL Server, Oracle, DB2 and MySQL
- Applications such as web servers, email servers, LDAP, DNS and Browsers
- Virtualization Platforms such as ESX Server
- Mobile platforms such as iOS and Android
- Network Devices and Firewalls such as Cisco, Juniper and CheckPoint
NNT are one of a handful of CIS Certified Vendors – NNT provide a full range of CIS Benchmark reports that can be used to audit enterprise networks and then monitor continuously for any drift from your hardened build-standard. This ensures systems stay within compliance 24/7.
Hardening checklists are usually lengthy, complex to understand and time-consuming to implement, even for one server, let alone a whole estate. A typical checklist for an operating system like Windows or Linux will run into hundreds of tests and settings.
The typical approach to testing for vulnerabilities and measuring compliance with a hardened build standard is to use a vulnerability scanner, such as Qualys, Rapid 7, Nessus or Tripwire/nCircle. There are two problems with this – first, scans are simply a snapshot of compliance and any configuration drift between scans will not be detected leaving systems vulnerable to attack until the next scheduled scan. The other major problem is that a scanner is blind to zero day threats and doesn’t provide any file integrity monitoring to detect breach activity.NNT’s non-stop file integrity monitoring provides continuous compliance assessment and real-time breach detection.
And the number one solution that delivers
all the key security and compliance benefits of file integrity monitoring is NNT Change Tracker™
Easiest To Use – Most Fully Featured – Most Affordable
Learn more about NNT Change Tracker here
Protecting data stored in our SQL server app was an absolutely key requirement for us and NNT were able to provide a single solution that covered this together with other PCI requirements for configuration management, file integrity monitoring and logging. I think we really benefitted from NNT’s experience of helping other organizations to implement PCI Compliance measures, and definitely saved money compared to other options we considered
Carlos Parada, MIS Director, NAFSA
Device Hardening Articles
- PCI DSS Version 3 and File Integrity Monitoring – New Standard, Same Problems
- Server Hardening Checklist - Which Configuration Hardening Checklist Will Make My Server Most Secure?
- Server Hardening Policy - Examples and Tips
- Cyber Threat Sharing Bill and Cyber Incident Response Scheme – Shouldn’t We Start with System Hardening and FIM?
Device Hardening Press
Read: IT security basics are being overlooked
"Recent breaches have revealed that not only are many security experts guilty of focusing on the bright shiny new products while overlooking the more mundane evolutionary upgrades of traditional defences. Of course, security threats are constantly changing – but is that a reason to ignore the first principles of IT security: assessing vulnerabilities, hardening the infrastructure, and checking for unexpected changes?"