On both the Internet and internal networks that attackers have already compromised, automated computer attack programs constantly search target networks looking for systems that were configured with vulnerable software installed the way it was delivered from manufacturers and resellers, thereby making it immediately vulnerable to exploitation. Default configurations are often geared to ease-of-deployment and ease-of-use and not security, leaving extraneous services that are exploitable in their default state. In addition, patches are not always applied in a timely manner and software updates often introduce unknown weaknesses into a piece of software that is vulnerable to zero-day exploits. Attackers attempt to exploit both network-accessible services and browsing client software using such techniques.
Defenses against these automated exploits include procuring computer and network components with the secure configurations already implemented, deploying such pre-configured hardened systems, updating these configurations on a regular basis, and tracking them in a configuration management system.
1. Quick wins (First Five - #2):5 Establish and ensure the use of standard secure configurations of your operating systems. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system, such as those published by the vendor for high security situations and those released by the NSA, Defense Information Systems Agency (DISA), and the Center for Internet Security (CIS). This hardening would typically include removal of unnecessary accounts, disabling or removal of unnecessary services, and configuring nonexecutable stacks and heaps. Such hardening also involves, among other measures, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and erecting host-based firewalls. Running only standard, secure configurations will allow you to install all new security patches within 24-48 hours. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors.
2. Quick wins (First Five - #3 and #4): Implement automated patching tools and processes that ensure security patches are installed within 48 hours of their release for both applications and for operating system software. When outdated systems can no longer be patched, update to the latest version of application software. Remove outdated, older, and unused software from the system.
3. Quick wins (First Five - #5): Limit administrative privileges to very few users who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system. This will help prevent installation of unauthorized software and other abuses of administrator privileges.
4. Quick wins: Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates to this image should be integrated into the organization's change management processes. Images should be created for workstations, servers, and other system types used by the organization.
5. Quick wins: Store the master images on securely configured servers, with integrity checking tools and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network. Images should be tested at the hot or warm disaster recovery site if one is available.
6. Visibility/Attribution: Any deviations from the standard build or updates to the standard build should be approved by a change control board and documented in a change management system.
7. Visibility/Attribution: Negotiate contracts to buy systems configured securely out of the box using standardized images, which should be devised to avoid extraneous software that would increase their attack surface and susceptibility to vulnerabilities.
8. Visibility/Attribution: Utilize application white listing to control and manage any configuration changes to the software running on the system.
9. Configuration/Hygiene: Do all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL or IPSEC.
10. Configuration/Hygiene: Utilize file integrity checking tools on at least a weekly basis to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. All alterations to such files should be automatically reported to security personnel. The reporting system should have the ability to account for routine and expected changes, highlighting unusual or unexpected alterations.
11. Configuration/Hygiene: Implement and test an automated configuration monitoring system that measures all secure configuration elements that can be measured through remote testing, using features such as those included with tools compliant with Security Content Automation Protocol (SCAP) to gather configuration vulnerability information. These automated tests should analyze both hardware and software changes, network configuration changes, and any other modifications affecting security of the system.
12. Configuration/Hygiene: Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for Unix systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
13. Advanced: Adopt a formal process and management infrastructure for configuration control of mobile devices. The process needs to include secure remote wiping of lost or stolen devices, approval of corporate apps, and denial of unapproved apps. If the device is owned by the organization, a full wipe should be performed. If it is a BYOD system, a selective wipe should be performed, removing the organization's information.
CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6
Milestone 7: Baseline Management
Configuration and Change Management
Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Commercial and/or free configuration management tools can then be employed to measure the settings operating system and applications of managed machines to look for deviations from the standard image configurations used by the organization. Some configuration management tools require that an agent be installed on each managed system, while others remotely log in to each managed machine using administrator credentials. Either approach or a combination of the two approaches can provide the information needed for this control.
The system must be capable of identifying any changes to an official hardened image that may include modifications to key files, services, ports, configuration files, or any software installed on the system. Modifications include deletion, changes, or additions of new software to any part of the operating systems, services, or applications running on the system. The configuration of each system must be checked against the official master image database to verify any changes to secure configurations that would impact security. Any of these changes to a computer system must be detected within 24 hours and notification performed by alerting or sending e-mails to a list of enterprise administrative personnel. Systems must block installation, prevent execution, or quarantine unauthorized software within one additional hour, alerting or sending e-mail when this action has occurred. Every 24 hours after that point, the system must alert or send e-mail about the status of the system until the unauthorized system has been removed from the network or remediated. While the 24-hour and one-hour timeframes represent the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid alerting and isolation.
To evaluate the implementation of Control 3 on a periodic basis, an evaluation team must move a benign test system that does not contain the official hardened image, but that does contain additional services, ports, and configuration file changes, onto the network. This must be performed on 10 different random segments using either real or virtual systems. The evaluation team must then verify that the systems generate an alert regarding the changes to the software within 24 hours. It is important that the evaluation team verify that all unauthorized changes have been detected. The team must also verify that the alert or e-mail is received within one additional hour indicating that the software has been blocked or quarantined. The evaluation team must verify that the system provides details of the location of each machine with the unauthorized changes, including information about the asset owner.
The evaluation team must then verify that the software is blocked by attempting to execute it and verifying that it is not allowed to run. In addition to these tests, two additional tests must be performed:
1. File integrity checking tools must be run on a regular basis. Any changes to critical operating system, services, and configuration files must be checked on an hourly basis. Any changes must be blocked and follow the above notification process.
2. System scanning tools that check for software version, patch levels, and configuration files must be run on a daily basis. Any changes must be blocked and follow the above e-mail notification process.
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur. As with any configurations, all changes must be approved and managed by a change control process.
A control system is a device or set of devices to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining the devices, software, and entities used to manage and implement consistent configuration settings to workstations, laptops, and servers on the network. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.
Step 1: Secured system images applied to computer systems
Step 2: Secured system images stored in a secure manner
Step 3:Configuration management system validates and checks system images
Step 4: Configuration policy enforcement system actively scans production systems for misconfigurations or deviations from baselines
Step 5: File integrity assessment systems monitor critical system binaries and data sets
Step 6: White listing tool monitors systems configurations and software
Step 7: SCAP configuration scanner validates configurations
Step 8: File integrity assessment system sends deviations to alerting system
Step 9: White listing tool sends deviations to alerting system
Step 10: SCAP configuration scanner sends deviations to alerting system
Step 11 and 12: Management reports document configuration status.
5 The "first five" quick wins are those being implemented first by the most security-aware and skilled organizations because they are the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations.