As delivered from the manufacturer, your systems’ default configurations are often function-oriented rather than security-oriented. Changing the system’s default configuration to a more secure form is what we refer to as system hardening.
This task is critical for two main reasons:
- Security – the cyber-crime landscape keeps evolving with more and more sophisticated attack techniques. Yet, it has been proven that investigating basic controls, such as system hardening, has the most significant impact on your organization’s security. System hardening can have a considerable effect on your organization’s security. In fact, misconfigured assets are responsible for over 40% of infrastructure vulnerabilities. Furthermore, establishing secure configurations will protect your organization from the highest number of attack techniques.
- Compliance – system hardening is now a fundamental requirement of most information security regulations. Regulations such as PCI-DSS, HIPAA, CMMC and others require an organization to implement a robust hardening policy. Hardening can no longer be a ‘check the box’ task to pass an audit.
The high regulatory demands and emerging risk for cyber-attacks require organizations to invest more than ever in achieving a secure baseline by implementing robust hardening policies.
Three Stages in a Hardening Project
- Setting hardening policies – policies must be granulated as possible, addressing different environments, machine types, roles and versions. It is normal to see one organization managing tens of policies for its infrastructure. Policies often rely on the industry’s best practice benchmarks adjusted to each organization’s unique needs.
- Generating an impact analysis of the policies and implementing them – policies’ impact on production must be analyzed to prevent production outages resulting from the policies’ implementation. This is a critical stage as it is prone to mistakes that can lead to devastating results. After analyzing, only policies that won’t affect the production can be implemented on the relevant machines.
- Monitoring and maintaining compliance posture – hardening is often mistaken to be considered as a one-time task. The truth is that if you treat it like that, you’ll find yourself back in square one after a year or two post your initial hardening project due to the dynamic character of the infrastructure. While machines are taken off and others are installed, change management procedures are a weak link in maintaining your compliance posture.
Challenge #1 – Generating an Impact Analysis Report
To create an impact analysis report detailing how your policy will affect your production, you’ll need to build a test environment.
Why? Implementing the policy directly on production systems can cause severe damage. Therefore, the policy must be tested on a dedicated test environment to understand its impact (impact analysis).
The challenge hides in the number of different environments and types of machines and applications in your infrastructure.
Solution
- Non-automated – In an optimal impact analysis, you’ll need to perfectly simulate every type of environment that you have in production. After doing that, you’ll need to simulate every required policy and check its impact on the server’s functionality.
- Automated – use automated tools that will generate this report from analyzing the impact directly on production. These tools are usually agent-based and will generate the most accurate report possible.
Challenge #2 – Policy Implementation and Change Management
For organizations to achieve a secure and compliant infrastructure, policies must be as granulated as possible. This is why implementing the right policy on the right machine and making sure all the rules are being followed can be tricky. This process is prone to human errors that can either end up in decreased security and compliance posture. In addition, keeping track, managing and having the ability to roll back from any policy change is rather complex when having multi-environment infrastructure.
Solution
- Non-Automated – use group policy objects (GPOs) or configuration management tools and administrative methods to ensure that the right policy was fully implemented on the right machine. Follow change management best practices methods to build a change management policy inside your organization.
- Automated – an automated solution for this challenge will allow you to control the entire implementation process from a single point of control. An automated solution will help you find your feet when managing multiple policies for your infrastructure. Change management procedures will no longer be an issue and the entire process will be much less prone to human mistakes.
Challenge #3 – Remaining Compliant
Investing efforts in the proper hardening of servers is not enough. Ongoing monitoring and maintenance are required as the production environment constantly changes and new vulnerabilities are discovered. Lots of time and money can be saved when adopting healthy habits that will prevent the need to harden your infrastructure from scratch every few years.
Solution
Non-automated / using scanning tools – You’ll need to implement structured procedures for:
- Annual policy update due to new vulnerabilities and updates in the infrastructure’s components and structure.
- Compliance checks to make sure that policy and infrastructure changes didn’t damage compliance.
- Conserving information about what changes were made, where and when, is crucial. Usually, all relevant knowledge is possessed by the IT staff member who is responsible for this matter. Once that staff member leaves the organization, no one knows what actually happened in the system and why certain decisions were made.
Automated – an automated solution for this challenge will provide continuous monitoring of your compliance posture, prevent configuration drifts and remediate undesired changes.
Conclusion
There are two approaches for system hardening – automated and non-automated. By choosing a non-automated approach, you’ll need to develop intra-organization procedures and assist non-hardening specific tools. Therefore, the level of in-house knowledge and resources you’ll need will be high. This approach is relevant for small-size businesses with up to 150 servers’ infrastructure. For larger organizations, the recommended method is to use hardening automation tools. These tools will provide a hole solution for this process and dramatically increase the chance of having a secure and compliant infrastructure.