CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
The default configuration settings for most platforms, applications and devices are optimized for ease of use and deployment, not security. Open services and ports, unnecessary software, old vulnerabilities - all can be exploited in their default state. For this reason, organizations must maintain documented, standard security configuration standards for all authorized operating systems and software.
Let’s jump right into CIS Control 5 and the five sub controls associated with the fifth basic CIS Control.
5.1: Establish Secure Configurations
- Maintain documented security configuration standards for all authorized operating systems and software.
In this sub control, organizations are advised to leverage publicly developed, vetted, and supported security benchmarks and guides such as the CIS Benchmarks and NIST SP 800-53. As a CIS Certified vendor, NNT has access to a wide library of CIS Benchmark reports that can be used to audit enterprise networks and continuously monitor for any drift from your hardened build standard.
By creating a secure and compliant state for all IT systems and combining that with ongoing, context-based change control plus baseline management, NNT Change Tracker™ Gen7 R2 would help your organization ensure that systems remain in a secure and compliant state at all times.
5.2: Maintain Secure Images
- Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.
CIS Benchmark secure configuration guidance should be used to build secure images and templates for systems. These provide comprehensive, consensus-based intelligence to reduce the attack surface for all IT systems.
5.3: Securely Store Master Images
- Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.
Secure images and configuration templates exist solely to ensure production systems are in compliance with the Gold Build standard. As such, the images/templates must be protected using change control and integrity monitoring just as much as any live production system.
Learn more about our state of the art FIM solution and security best practices in our latest Whitepaper: Security Best Practices and File Integrity Monitoring, and you can learn more about our solution by watching our latest FIM video overview.
5.4: Deploy System Configuration Management Tools
- Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
In this sub control, organizations are advised to deploy system configuration management tools. It’s great to know when changes have been made, but knowing what to do about those changes is a totally different story.
Change Control and Configuration Management are two of the most critical processes with respect to deploying and operating secure and highly available systems and software. NNT Change Tracker helps organizations by providing them with step by step remediation guidance and the ability to auto remediate.
5.5: Implement Automated Configuration Monitoring Systems
- Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.
This step covers the importance of continuously managing software and system configurations to ensure they remain secure. Automated configuration assessment tools like NNT Change Tracker can monitor systems’ compliance to specific configuration and report compliance over time, spotting any inconsistencies and detailing remediation steps to follow.
Figure: System Entity Relationship Diagram
Most systems by default today are configured for ease of use, not for security. Organizations must reconfigure these systems to a secure, hardened standard and monitor for any deviations. By leveraging configuration standards like the CIS Benchmarks, most organizations can successfully implement this basic security control.
With NNT Change Tracker, pre-built device hardening templates derived from CIS Benchmarks are used to audit for any known vulnerabilities. Database systems, servers, and network devices are then continuously monitored for any drift from your secure, hardened state.
NNT just recently hosted a webinar with the Center for Internet Security (CIS) on this particular control called Cybersecurity Lesson from the Death Star: CIS Control 5 Explained in 30 Minutes.
During this webinar, NNT CTO Mark Kedgley and SVP and Chief Evangelist of the CIS, Tony Sager, discussed the control elements of CIS Control 5 and explored NNT’s unique SecureOps strategy, with the goal of aligning IT operations with effective security controls that increase service availability while also mitigate security risk.
You can watch this webinar on-demand here:
You can also learn more about the CIS controls here.
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises