Frequently there is a lot that can be done with existing equipment to improve an organisation’s security posture. This not only improves general security, it can help an organisation resist targeted attacks. Configuration hardening is the process of reducing the attack surface of an organisation. There are in general four aims:
- Implement standards and write them down – if people do not know how to behave or what is the organisation’s standard configuration, how can policies be followed?
- Manage change – standard configurations are not always possible, how is that to be handled? Requirements changeover time, this also must be handled
- Identify what can operationally be hardened. It could be argued that disabling pinging makes an attacker’s job harder but it can be seriously detrimental to the smooth running of an organisation to do so. Perhaps looking at the various features of ping and deciding to limit those that can be used, like ping redirect, might be a good compromise
- Work out how assessments can be carried out – can they be automated so that tests can be scheduled?
A large percentage of vulnerabilities are as a result of incorrect configuration of devices. Another common action is to check versions, many routers, switches and even firewalls are rarely updated as frequently updates cannot be automated for operational reasons.
Only enable services that are required. This requires an understanding of what is required and what is running by default on any server whether file, email, web or security. What this does do is reduce which patches are critical which allows time to focus on those that are.
Allow only traffic that is needed – many firewalls still have unregulated outbound rules in place which is a simple and effective way of blocking the cruder malware that might be introduced into a network. However, carry out this policy across your network ensuring that if a segment does get compromised it does not result in other segments being easily available. For instance, when you have VPNs between sites, identify what is expected across that VPN and disable other traffic.
Passwords are a major issue, simple passwords, along with password reuse and password reset cause innumerable problems, just see the mess HB Gary got into as a result of poor password process. Putting a strict password policy in place is truly a cheap way to improve security, users and managers may not like it but they will be considerably more unhappy if their accounts are hacked.
Data storage planning is good practice. Every organisation, big or small, has data that is sensitive whether it is customer data or just the salary of the CEO. Have specific places within your network where this data is stored. It makes it easier to tie access down to just those that need to know, easier to isolate and make harder to access and if data encryption is used nowhere else, and it should be, it makes one place where it can be.
To follow on from the above paragraph, wherever possible encrypt data whether temporarily or permanently stored. It is the last line of defence when you systems have been compromised, it can save customers from exploitation and organisations from severe reputational damage, prosecution and fines.
Organizations would also need to ensure that segregation of duty requirements are satisfied – a lone IT manager is frequently a vulnerability in him or herself. They can make mistakes as there is no buddy system to help them check what they are doing, they rarely document changes and, of course, if they leave or go sick, there is no one to manage the environment. Where possible, personnel need to share duties and information – in some situations it may be necessary to outsource duties to ensure the required segregation and duplication of services.
There is considerable assistance available from a number of sources for Configuration Hardening:
- National Institute of Standards and Technology (NIST)
- Center for Internet Security (CIS)
- National Security Agency
- For those organisations with Cisco, there is help here.
It is important to recognise that configuration hardening takes time. Configurations need to be tested before being adopted. There may be a large number of systems in production and the required changes will have to be carried out during scheduled downtime. These standards will then be baked into provisioning processes for new systems.
There are tools that can help any organisation automate security assessments to ensure compliance to standards. Configuration drift is common where systems inevitably and incrementally move away from the company standard. It is important to catch this and to verify that such changes are justified and if not, that they are brought back into compliance. Carrying out such assessments manually means that they are usually done infrequently if at all, it also can be time consuming and without rigid discipline, may not be comprehensive.