System Hardening and Vulnerability Management

A hardened system is one that is fundamentally secure and rendered hack-proof. Hardening a device requires known security 'vulnerabilities' to be eliminated or mitigated. A 'vulnerability' is any weakness or flaw in software design, implementation, administration and configuration of a system, which provides a mechanism for an attacker to exploit. A secure, locked down configuration requires care to achieve a good balance between security and operational function.

Vulnerability management and maintaining a hardened build standard are inextricably linked to tight change control. Any configuration changes, be it a through patching or other system maintenance, may introduce vulnerabilities so visibility and control of changes is an essential security best practice.

Authoritative hardening checklists for all platforms, database systems and applications – CIS Benchmarks

While there are numerous reference sources for such checklists – The SANS Institute, NIST, Microsoft and Oracle all publish hardening best practice checklists, plus there are numerous guides and forums across the internet - these different sources can lead to contradictory advice, provided in inconsistent formats.

The Center for Internet Security are the information security industry's Number One authority on secure-configuration guidance. CIS Benchmarks are recognized as the Industry-standard for System hardening and Vulnerability Mitigation guidance.

And because CIS Benchmark vulnerability mitigation intelligence is consensus-derived from a variety of manufacturer, security specialist and academic sources, this approach delivers the most complete and accurate hardening checklists available.

Included for each vulnerability is a detailed description, rationale and testing direction for auditing compliance. Where vulnerabilities are identified, easy-to-understand remediation advice is presented.

Best of all, CIS Benchmarks are consistently presented for all

• Windows, Linux and Unix platforms
• Database Systems such as SQL Server, Oracle, DB2 and MySQL
• Applications such as web servers, email servers, LDAP, DNS and Browsers
• Virtualization Platforms such as ESX Server
• Mobile platforms such as iOS and Android
• Network Devices and Firewalls such as Cisco, Juniper and CheckPoint

NNT are one of a handful of CIS Certified Vendors – NNT provide a full range of CIS Benchmark reports that can be used to audit enterprise networks and then monitor continuously for any drift from your hardened build-standard. This ensures systems stay within compliance 24/7.

Hardening checklists are usually lengthy, complex to understand and time-consuming to implement, even for one server, let alone a whole estate. A typical checklist for an operating system like Windows or Linux will run into hundreds of tests and settings.

The typical approach to testing for vulnerabilities and measuring compliance with a hardened build standard is to use a vulnerability scanner, such as Qualys®, Rapid 7®, Nessus® or Tripwire®/nCircle®.

There are two problems with this – first, scans are simply a snapshot of compliance and any configuration drift between scans will not be detected leaving systems vulnerable to attack until the next scheduled scan. The other major problem is that a scanner is blind to zero day threats and doesn't provide any file integrity monitoring to detect breach activity. NNT's non-stop file integrity monitoring provides continuous compliance assessment and real-time breach detection.