SANS 20 Critical IT Security Controls #3: Securely configuring hardware and Software

The default configurations of many hardware and software products aren’t designed with security in mind, although that has been steadily changing over time. If your company installs hardware or software without immediately tightening their default configuration, you’re immediately exposed to a large number of automated computer attack programs roaming networks looking for vulnerable software.
To avoid this major security vulnerability, you can ask hardware makers to configure devices with the security controls already built in. You can also have formal policies in place that automatically scan your network for both hardware and software that needs security patches. You also must have a configuration management system in place, hopefully one that uses sophisticated configuration software to track system and software configuration across your enterprise.

You must create system images with documented and approved security settings. You must validate these “gold” system images frequently throughout the year, to update their security configuration based on all available security patches. The standard images should contain hardened versions of the operating system as well as all applications that run on that system, such as databases. Note that you must also include the implementation of intrusion detection and intrusion prevention systems and host-based firewalls among the system hardening procedures. You must then store the “gold” images on secure servers and use integrity checking tools and change management procedures to prevent any unauthorized changes to these images.

You can employ either a commercial or a free open source configuration management tools to check the server and application configuration and to track any deviations from the official “gold” configuration. You must also run file integrity checking tools round the clock to trap changes to critical system files. In addition, you must also put in place system scanning tools that send alerts concerning open ports, patch levels and software versions.

Leave a Comment

Your email address will not be published. Required fields are marked *