Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

How do attackers exploit the absence of this control?

On both the Internet and internal networks that attackers have already compromised, automated computer attack programs constantly search target networks looking for systems that were configured with vulnerable software installed the way it was delivered from manufacturers and resellers, thereby making it immediately vulnerable to exploitation. Default configurations are often geared to ease-of-deployment and ease-of-use and not security, leaving extraneous services that are exploitable in their default state. Attackers attempt to exploit both network-accessible services and browsing client software using such techniques.
Defenses against these automated exploits include procuring computer and network components with the secure configurations already implemented, deploying such preconfigured hardened systems, updating these configurations on a regular basis, and tracking them in a configuration management system.

How to Implement, Automate, and Measure the Effectiveness of this Control

  1. Quick wins: Strict configuration management should be followed, building a secure image that is used to build all new systems that are deployed to the enterprise. Any existing system that becomes compromised is re-imaged with the secure build. Regular updates to this image are integrated into the organization's change management processes.
  2. Quick wins: System images must have documented security settings that are tested before deployment, approved by an organization change control board, and registered with a central image library for the organization or multiple organizations. These images should be validated and refreshed on a regular basis (e.g., every six months) to update their security configuration in light of recent vulnerabilities and attack vectors.
  3. Quick wins: Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system, such as those released by the NIST, NSA, Defense Information Systems Agency (DISA), Center for Internet Security (CIS), and others. This hardening would typically include removal of unnecessary accounts, disabling or removal of unnecessary services, and configuring nonexecutable stacks and heaps through the use of operating system features such as data execution prevention (DEP). Such hardening also involves, among other measures, applying patches, closing open and unused network ports, implementing Intrusion Detection Systems and/or intrusion prevention systems, and erecting host-based firewalls.
  4. Quick wins: Any deviations from the standard build or updates to the standard build should be documented and approved in a change management system.
  5. Quick wins: Organizations should negotiate contracts to buy systems configured securely out of the box using standardized images, which should be devised to avoid extraneous software that would increase their attack surface and susceptibility to vulnerabilities.
  6. Quick wins: The master images themselves must be stored on securely configured servers, with integrity checking tools and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network.
  7. Quick wins: Run the last version of software and make sure it is fully patched. Remove outdated or older software from the system.
  8. Configuration/Hygiene: All remote administration of servers, workstation, network devices, and similar equipment should be done over secure channels. Protocols such as telnet, virtual network computing (VNC), remote desktop protocol (RDP), or other protocols that do not natively support strong encryption should only be used if they are performed over a secondary encryption channel, such as secure sockets layer (SSL) or Internet protocol security (IPSEC).
  9. Configuration/Hygiene: At least once a month, run assessment programs on a varying sample of systems to determine which ones are configured according to the secure configuration guidelines.
  10. Configuration/Hygiene: Utilize file integrity checking tools on at least a weekly basis to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. All alterations to such files should be automatically reported to security personnel. The reporting system should have the ability to account for routine and expected changes, highlighting unusual or unexpected alterations.
  11. Configuration/Hygiene: Implement and test an automated configuration monitoring system that measures all secure configuration elements that can be measured through remote testing, using features such as those included with SCAP-compliant tools to gather configuration vulnerability information. These automated tests should analyze both hardware and software changes, network configuration changes, and any other modifications affecting security of the system.
  12. Configuration/Hygiene: Provide senior executives with charts showing the number of systems that match configuration guidelines versus those that do not match, illustrating the change of such numbers month by month for each organizational unit.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6
Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Milestone 7: Baseline Management
Configuration and Change Management

Procedures and Tools to Implement and Automate this Control

Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Commercial and/or free configuration management tools can then be employed to measure the settings operating system and applications of managed machines to look for deviations from the standard image configurations used by the organization. Some configuration management tools require that an agent be installed on each managed system, while others remotely log in to each managed machine using administrator credentials. Either approach or combinations of the two approaches can provide the information needed for this control.

Control 3 Metric:

The system must be capable of identifying any changes to an official hardened image that may include modifications to key files, services, ports, configuration files, or any software installed on the system. Modifications include deletion, changes or additions of new software to any part of the operating systems, services or applications running on the system. The configuration of each system must be checked against the official master image database to verify any changes to secure configurations that would impact security. Any of these changes to a computer system must be detected within 24 hours and notification performed by alerting or sending e-mail notification to a list of enterprise administrative personnel. Systems must block installation, prevent execution, or quarantine unauthorized software within one additional hour, alerting or sending e-mail when this action has occurred. Every 24 hours after that point, the system must alert or send e-mail about the status of the system until it has been removed from the network or remediated. While the 24-hour and one-hour timeframes represent the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid alerting and isolation, with notification about unauthorized changes sent within two minutes and installation and execution blocked within five minutes.

Control 3 Test:

To evaluate the implementation of Control 3 on a periodic basis, an evaluation team must move a benign test system that does not contain the official hardened image, but that does contain additional services, ports and configuration file changes, onto the network. This must be performed on 10 different random segments using either real or virtual systems. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the changes to the software within 24 hours. It is important that the evaluation team verify that all unauthorized changes have been detected. The team must also verify that the alert or e-mail is received within one additional hour indicating that the software has been blocked or quarantined. The evaluation team must verify that the system provides details of the location of each machine with the unauthorized changes, including information about the asset owner.
The evaluation team must then verify that the software is blocked by attempting to execute it and verifying that it is not allowed to run. In addition to these tests, two additional tests must be performed:
  1. File integrity checking tools must be run on a regular basis. Any changes to critical operating system, services, and configuration files must be checked on an hourly basis. Any changes must be blocked and follow the above e-mail notification process.
  2. System scanning tools that check for open ports, services, software version, patch levels, and configuration files must be run on a daily basis. Any changes must be blocked and follow the above e-mail notification process.
Control 3 Sensors, Measurement, and Scoring
Sensor: File integrity software
Measurement: File integrity monitoring software is deployed on servers as a part of the base configuration. Centralized solutions like Tripwire are preferred over stand-alone solutions.
Score: 50 percent awarded for using a solution like Tripwire with a central monitoring/reporting component. The remaining 50 percent is based on the percentage of servers on which the solution is deployed.
Sensor: Standard images
Measurement: Standard images for the installation of systems have been created based on an accepted security standard published by organizations such as the CIS, NSA, DISA and others.
Score: Pass/Fail
Sensor: Network-based image deployment system
Measurement: Computers are built from secured masters pushed out by image servers. Solutions such as Acronis, Ghost, and others are appropriate.
Score: Percentage of systems built from and potentially managed by the solution.
Abonnieren Posts (Atom)